OsVault/npm/h3

npm

h3

28 known vulnerabilities · 0 critical · 0 high

CVE-2026-33131

h3 has a middleware bypass with one gadget

Published Mar 18, 2026

GHSA-wr4h-v87w-p3r7

h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read

Published Mar 18, 2026

GHSA-4hxc-9384-m385

h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)

Published Mar 20, 2026

GHSA-72gr-qfp7-vwhw

h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`

Published Mar 20, 2026

CVE-2026-33128

h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

Published Mar 18, 2026

GHSA-q5pr-72pq-83v3

H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service

Published Mar 23, 2026

CVE-2026-23527

h3 v1 has Request Smuggling (TE.TE) issue

Published Jan 15, 2026

CVE-2026-33129

h3 has an observable timing discrepancy in basic auth utils

Published Mar 18, 2026

GHSA-fp4x-ggrf-wmc6

H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation

Published Mar 23, 2026

CVE-2026-33490

h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

Published Mar 20, 2026

MAL-2022-1773

Malicious code in calc_a55qzguqh3 (npm)

Published Jun 20, 2022

MAL-2022-4753

Malicious code in myapp-by-7h3n00b (npm)

Published Sep 27, 2022

MAL-2024-10440

Malicious code in wb-eth3 (npm)

Published Nov 6, 2024

MAL-2024-9361

Malicious code in down-load-available-zip-now-35816-laughter-lust-jih3q-fajkvi (npm)

Published Oct 16, 2024

MAL-2026-2768

Malicious code in h3-next (npm)

Published Apr 16, 2026

MAL-2022-4398

Malicious code in lorash3fset (npm)

Published Aug 19, 2022

MAL-2025-192664

Malicious code in asdfgh33 (npm)

Published Dec 19, 2025

MAL-2025-192872

Malicious code in sturdyfetch3 (npm)

Published Dec 23, 2025

MAL-2024-9400

Malicious code in zip-mp3-a-lbum-do-wnload-new-gift-of-screws-q2h3s-xswcix (npm)

Published Oct 16, 2024

MAL-2025-192439

Malicious code in asdfgh3 (npm)

Published Dec 11, 2025

MAL-2025-1253

Malicious code in nebulagl-h3-hexagon-editing (npm)

Published Feb 7, 2025

MAL-2022-3543

Malicious code in h3-website (npm)

Published Jun 20, 2022

MAL-2024-1746

Malicious code in @tauh33dkhan/alloy-icons (npm)

Published Jun 25, 2024

MAL-2023-8250

Malicious code in fca-priyansh3 (npm)

Published Sep 26, 2023

MAL-2022-3542

Malicious code in h3-jsv3 (npm)

Published Sep 7, 2022

MAL-2023-937

Malicious code in vh3 (npm)

Published Jan 30, 2023

MAL-2022-42

Malicious code in 7h3n00b2 (npm)

Published Sep 27, 2022

MAL-2026-1749

Malicious code in initial-path32 (npm)

Published Mar 18, 2026

Check your entire dependency tree at onceRun dependency scan →