DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FP4X-GGRF-WMC6: GHSA-FP4X-GGRF-WMC6: Open Redirect via Protocol-Relative Paths in UnJS H3

#security #cve #cybersecurity #ghsa

GHSA-FP4X-GGRF-WMC6: Open Redirect via Protocol-Relative Paths in UnJS H3

Vulnerability ID: GHSA-FP4X-GGRF-WMC6
CVSS Score: 6.1
Published: 2026-03-23

A critical vulnerability in the UnJS H3 package allows attackers to bypass domain validation within the redirectBack() utility. By providing a maliciously crafted Referer header containing a protocol-relative path, attackers can force the application to issue an open redirect to an arbitrary external domain. This issue affects versions prior to v2.0.1-rc.18.

TL;DR

The H3 redirectBack() function improperly handles protocol-relative paths in the Referer header. Attackers can supply a referer like http://trusted.com//evil.com, passing origin checks but resulting in a Location: //evil.com header that browsers interpret as a redirect to an external site.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Open Redirect (CWE-601)
  • CVSS v3.1 Score: 6.1 (Medium)
  • Attack Vector: Network
  • Authentication Required: None
  • User Interaction: Required
  • Affected Component: redirectBack() utility
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Node.js Applications
  • UnJS H3 Framework
  • Nuxt Framework (depending on H3 version)
  • h3: < v2.0.1-rc.18 (Fixed in: v2.0.1-rc.18)

Code Analysis

Commit: 459a1c6

Fix open redirect via protocol-relative path in referer

@@ -1,6 +1,9 @@
-    location = refererURL.pathname + (opts.allowQuery ? refererURL.search : "");
+    let pathname = refererURL.pathname;
+    if (pathname.startsWith("//")) {
+      pathname = "/" + pathname.replace(/^\/+/, "");
+    }
+    location = pathname + (opts.allowQuery ? refererURL.search : "");
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the H3 package to version v2.0.1-rc.18 or a subsequent stable release.
  • Implement WAF rules to detect and block HTTP requests containing protocol-relative sequences (//) in the Referer header path.
  • Avoid relying exclusively on the Referer header for navigation routing, favoring explicit, server-managed redirect state.

Remediation Steps:

  1. Identify all projects utilizing the unjs/h3 package directly or transitively (e.g., via Nuxt).
  2. Execute package manager update commands (e.g., npm install h3@latest or yarn upgrade h3).
  3. Verify the installed version in package-lock.json or yarn.lock matches or exceeds v2.0.1-rc.18.
  4. Run integration tests to ensure standard redirection functionality remains intact.

References

Read the full report for GHSA-FP4X-GGRF-WMC6 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)