H3 Missing Path Segment Boundary Check in Mount Method Causes Unintended Middleware Execution

A vulnerability exists in the H3 framework, specifically in versions 2.0.0-0 through 2.0.1-rc.16. The issue arises in the 'mount()' method, where a 'startsWith()' check is used to determine if incoming requests match a mounted sub-application's path prefix. This check fails to verify path segment boundaries, allowing middleware from mounts like '/admin' to execute on unrelated routes such as '/admin-public', '/administrator', or '/adminstuff'. As a result, an attacker could trigger middleware that sets context flags for privileges, potentially accessing unauthorized functionalities. The vulnerability has been patched in version 2.0.1-rc.17.

Impact

Exploitation of this vulnerability leads to context pollution across mount boundaries, where middleware intended for one route inadvertently affects others. This can cause authorization bypasses if the application relies on context flags set by middleware to control access to protected resources. Additionally, a utility function called 'withoutBase()' can produce incorrect path outputs, further complicating routing and potentially introducing security issues.

Reproduction

To reproduce this vulnerability, mount a sub-application with middleware that sets a context flag, such as 'isAdmin', at a path like '/admin'. Then, define a separate route that shares the '/admin' prefix but is unrelated, such as '/admin-public/info'. When a request is made to the public route, the admin middleware will incorrectly execute, demonstrating the path segment boundary check failure.

Remediation

Users can update to H3 version 2.0.1-rc.17 or later, where this vulnerability has been patched.