DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-Q5PR-72PQ-83V3: GHSA-Q5PR-72PQ-83V3: Unbounded Chunked Cookie Count Denial of Service in h3

#security #cve #cybersecurity #ghsa

GHSA-Q5PR-72PQ-83V3: Unbounded Chunked Cookie Count Denial of Service in h3

Vulnerability ID: GHSA-Q5PR-72PQ-83V3
CVSS Score: 7.5
Published: 2026-03-23

A logic-based Denial of Service (DoS) vulnerability exists in the h3 minimal HTTP framework, commonly used in Nuxt and Nitro applications. The vulnerability is caused by an unbounded loop in the chunked cookie parsing logic, allowing remote unauthenticated attackers to exhaust server resources and block the Node.js event loop.

TL;DR

h3 fails to validate the chunk count in chunked cookies. An attacker can supply an artificially high chunk count, forcing the server into an expensive O(nĀ²) loop during session cleanup, completely blocking the Node.js event loop and causing a Denial of Service.

āš ļø Exploit Status: POC

Technical Details

  • CWE ID: CWE-606, CWE-400
  • Attack Vector: Network
  • CVSS Base Score: 7.5
  • Impact: High (Denial of Service)
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • h3 (npm package)
  • Nuxt (via Nitro)
  • Nitro engine
  • h3: < 2.0.1-rc.18 (Fixed in: 2.0.1-rc.18)

Code Analysis

Commit: 399257c

Fix unbounded chunked cookie count causing Denial of Service

Mitigation Strategies

  • Upgrade the h3 dependency to a version containing the boundary validation patch.
  • Deploy a Web Application Firewall (WAF) rule to block cookies with a chunk count exceeding normal boundaries.
  • Ensure robust reverse proxy configurations that restrict malformed or excessive HTTP header lengths.

Remediation Steps:

  1. Identify all projects utilizing h3, Nitro, or Nuxt.
  2. Execute dependency audits using 'npm audit' or 'yarn audit' to pinpoint vulnerable h3 versions.
  3. Update the project dependencies to ensure h3 resolves to v2.0.1-rc.18 or higher.
  4. Rebuild and deploy the application, monitoring for any unexpected session handling regressions.

References

Read the full report for GHSA-Q5PR-72PQ-83V3 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)