CVE-2026-23527: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in h3js h3
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
AI Analysis
Technical Summary
The h3 HTTP framework versions before 1.15.5 contain a critical vulnerability classified as CWE-444 (Inconsistent Interpretation of HTTP Requests, also known as HTTP Request Smuggling). The root cause is that the readRawBody function checks the Transfer-Encoding header for the value "chunked" in a case-sensitive manner, contrary to RFC specifications that mandate case-insensitive header interpretation. This discrepancy can be exploited to smuggle HTTP requests, causing the server to process requests differently than intended. The vulnerability has a CVSS 3.1 base score of 8.9, indicating high severity, with network attack vector, high impact on confidentiality and integrity, and low impact on availability. The issue is resolved in h3 version 1.15.5.
Potential Impact
Successful exploitation of this vulnerability can lead to HTTP Request Smuggling attacks, which may allow attackers to bypass security controls, poison web caches, perform cross-user attacks, or gain unauthorized access to sensitive information. The CVSS score of 8.9 reflects a high impact on confidentiality and integrity, with a low impact on availability. There are no known exploits in the wild at the time of this report.
Mitigation Recommendations
Upgrade to h3 version 1.15.5 or later, where this vulnerability is fixed by implementing a case-insensitive check for the Transfer-Encoding header. Since this is an official fix, applying the update is the recommended remediation. No alternative mitigations are indicated in the advisory.
CVE-2026-23527: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in h3js h3
Description
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The h3 HTTP framework versions before 1.15.5 contain a critical vulnerability classified as CWE-444 (Inconsistent Interpretation of HTTP Requests, also known as HTTP Request Smuggling). The root cause is that the readRawBody function checks the Transfer-Encoding header for the value "chunked" in a case-sensitive manner, contrary to RFC specifications that mandate case-insensitive header interpretation. This discrepancy can be exploited to smuggle HTTP requests, causing the server to process requests differently than intended. The vulnerability has a CVSS 3.1 base score of 8.9, indicating high severity, with network attack vector, high impact on confidentiality and integrity, and low impact on availability. The issue is resolved in h3 version 1.15.5.
Potential Impact
Successful exploitation of this vulnerability can lead to HTTP Request Smuggling attacks, which may allow attackers to bypass security controls, poison web caches, perform cross-user attacks, or gain unauthorized access to sensitive information. The CVSS score of 8.9 reflects a high impact on confidentiality and integrity, with a low impact on availability. There are no known exploits in the wild at the time of this report.
Mitigation Recommendations
Upgrade to h3 version 1.15.5 or later, where this vulnerability is fixed by implementing a case-insensitive check for the Transfer-Encoding header. Since this is an official fix, applying the update is the recommended remediation. No alternative mitigations are indicated in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-13T18:22:43.981Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6969476c1ab3796b1034af92
Added to database: 1/15/2026, 8:00:44 PM
Last enriched: 4/14/2026, 11:29:15 AM
Last updated: 5/10/2026, 10:57:48 AM
Views: 548
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.