Login Sign Up

CVE-2026-23527

8.9 HIGH

📋 TL;DR

CVE-2026-23527 is a critical HTTP request smuggling vulnerability in the H3 framework where case-sensitive header validation allows attackers to bypass security controls. This affects all systems running H3 versions before 1.15.5 that process HTTP requests. Attackers can exploit this to poison caches, bypass authentication, or perform other request smuggling attacks.

💻 Affected Systems

Products:
  • H3 framework
Versions: All versions prior to 1.15.5
Operating Systems: All operating systems running H3
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using H3's HTTP request processing with default configuration is vulnerable

📦 What is this software?

H3 by H3

View all CVEs affecting H3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through cache poisoning, authentication bypass, and request smuggling leading to data exfiltration or unauthorized actions

🟠

Likely Case

Cache poisoning and request smuggling allowing attackers to bypass security controls and access restricted resources

🟢

If Mitigated

Limited impact with proper WAF/IPS filtering and network segmentation

🌐 Internet-Facing: HIGH - HTTP request smuggling directly affects web-facing applications
🏢 Internal Only: MEDIUM - Internal applications still vulnerable but with reduced attack surface

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

HTTP request smuggling attacks require specific knowledge but tools exist for testing these vulnerabilities

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.5

Vendor Advisory: https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg

Restart Required: Yes

Instructions:

1. Update H3 package to version 1.15.5 or later using npm/yarn/pnpm. 2. Restart the application server. 3. Verify the update was successful.

🔧 Temporary Workarounds

WAF/IPS Rule Implementation

all

Deploy web application firewall rules to detect and block HTTP request smuggling attempts

Reverse Proxy Configuration

all

Configure reverse proxies to normalize Transfer-Encoding headers before reaching H3

🧯 If You Can't Patch

  • Implement strict WAF rules specifically for HTTP request smuggling detection
  • Deploy network segmentation to isolate vulnerable systems from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list h3' to verify installed H3 version is below 1.15.5

Check Version:

npm list h3 | grep h3

Verify Fix Applied:

After updating, verify version is 1.15.5 or higher and test with HTTP request smuggling test tools

📡 Detection & Monitoring

Log Indicators:

  • Multiple HTTP requests with malformed Transfer-Encoding headers
  • Unexpected request sequences or cache poisoning attempts

Network Indicators:

  • HTTP traffic with case-variant Transfer-Encoding headers
  • Request smuggling patterns in HTTP traffic

SIEM Query:

http.headers.transfer_encoding:* AND (http.headers.transfer_encoding != "chunked" OR http.headers.transfer_encoding != "CHUNKED")

📊 Metadata

CVE ID: CVE-2026-23527
CVSS v3 Score: 8.9 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
CWE: CWE-444
EPSS Score: 0.06% exploit probability (17.4th percentile)
Published: January 15, 2026
Last Updated: January 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23527, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)