DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23527: Case Sensitivity Kills: HTTP Request Smuggling in H3

#security #cve #cybersecurity

Case Sensitivity Kills: HTTP Request Smuggling in H3

Vulnerability ID: CVE-2026-23527
CVSS Score: 8.9
Published: 2026-01-15

A critical HTTP Request Smuggling vulnerability in the H3 framework allows attackers to desynchronize sockets by using mixed-case 'Transfer-Encoding' headers, leading to potential cache poisoning and request hijacking.

TL;DR

H3, the underlying HTTP engine for Nuxt and Nitro, checked for the string "chunked" using a case-sensitive match. Attackers can send "ChuNked" to bypass body parsing on the backend while proxies still forward the body. This leaves leftover data on the TCP socket, causing subsequent requests to be hijacked.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-444 (Inconsistent Interpretation of HTTP Requests)
  • CVSS: 8.9 (High)
  • Attack Vector: Network (HTTP Request Smuggling)
  • Exploit Status: PoC Available
  • Root Cause: Case-sensitive string comparison on Transfer-Encoding
  • Architecture: Node.js / Server-side JavaScript

Affected Systems

  • H3 Framework < 1.15.5
  • Nuxt.js applications (utilizing vulnerable Nitro/H3 versions)
  • Nitro server engine
  • Any Node.js app using h3 for HTTP handling
  • h3: < 1.15.5 (Fixed in: 1.15.5)

Code Analysis

Commit: 618ccf4

fix(body): treat transfer-encoding as case insensitive

- .includes("chunked")
+ !/\bchunked\b/i.test(String(event.node.req.headers["transfer-encoding"] ?? ""))
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research PoC: Send a request with 'Transfer-Encoding: ChuNked' and observe if the server hangs (correct) or responds immediately (vulnerable).

Mitigation Strategies

  • Normalize HTTP headers at the edge/proxy level.
  • Enforce strict RFC 9112 compliance on load balancers.
  • Upgrade backend framework to patch logic flaws.

Remediation Steps:

  1. Identify all services using h3, nuxt, or nitro.
  2. Update h3 dependency to version 1.15.5 or greater.
  3. Verify the fix by inspecting node_modules/h3/dist/index.mjs or equivalent for the regex change.
  4. Restart all application services.

References

Read the full report for CVE-2026-23527 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)