CVE-2026-33490

LOW 3.7

h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.

CWE	CWE-706
Vendor	h3js
Product	h3
Published	Mar 26, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for h3js h3

Be the first to know when new low vulnerabilities affecting h3js h3 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

h3js / h3

>= 2.0.1-alpha.0, < 2.0.1-rc.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w