H3 Host Header Spoofing Vulnerability Leading to Middleware Bypass

A host header spoofing vulnerability has been identified in the H3 framework, specifically in versions 2.0.0-0 prior to 2.0.1-rc.15. This vulnerability allows for middleware bypass by manipulating the Host header, which is user-controlled. When certain event.url properties are accessed, the framework constructs a URL using untrusted data from the Host header. This can lead to authentication or authorization checks being bypassed, particularly in applications using H3 with Nitro or Nuxt that rely on event.url in middleware for sensitive routes.

Impact

Exploitation of this vulnerability allows for middleware bypass, potentially leading to unauthorized access or actions within the application, especially on routes that require authentication or authorization.

Reproduction

To reproduce this vulnerability, create an H3 application with a logging middleware that accesses event.url properties. Then, send a request to a route protected by authentication middleware, including a crafted Host header that bypasses the middleware checks while still matching the route handler. This can be done using a tool like cURL or Postman.

Remediation

Users can update to H3 version 2.0.1-rc.15 or later, where this vulnerability has been patched.