npm/h3 — 5 CVEs · VulnScope

HIGH8.9CVE-2026-23527h3 v1 has Request Smuggling (TE.TE) issue

from 0, < 1.15.5

HIGH7.5CVE-2026-33128h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

>= 2.0.0, < 2.0.1-rc.15

HIGH7.4CVE-2026-33131h3 has a middleware bypass with one gadget

>= 2.0.0-0, < 2.0.1-rc.15

MEDIUM5.9h3 has an observable timing discrepancy in basic auth utils

>= 2.0.0-beta.0, < 2.0.1-rc.9

LOW3.7h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

>= 2.0.1-alpha.0, < 2.0.1-rc.17

pkg:npm/h3