Skip to content

start-server-core depends on vulnerable pinned version of h3 #7043

Open
#7044
Open
start-server-core depends on vulnerable pinned version of h3#7043
#7044
@ulrichstark

Description

@ulrichstark
ulrichstark
opened on Mar 26, 2026

Which project does this relate to?

Start

Describe the bug

The package start-server-core depends on vulnerable pinned version 2.0.1-rc.16 of h3.

Vulnerabilites reported by my npm audit:

h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix) - https://github.com/advisories/GHSA-4hxc-9384-m385
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes - https://github.com/advisories/GHSA-2j6q-whv2-gh6w
H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service - https://github.com/advisories/GHSA-q5pr-72pq-83v3

Upgrading to at least version 2.0.1-rc.18 or unpinning the version would fix the issues.

Your Example Website or App

router/packages/start-server-core/package.json

Line 85 in 87a5160

"h3-v2": "npm:h3@2.0.1-rc.16",

Steps to Reproduce the Bug or Issue

Expected behavior

Screenshots or Videos

No response

Platform

  • Router / Start Version: [e.g. 1.121.0]
  • OS: [e.g. macOS, Windows, Linux]
  • Browser: [e.g. Chrome, Safari, Firefox]
  • Browser Version: [e.g. 91.1]
  • Bundler: [e.g. vite]
  • Bundler Version: [e.g. 7.0.0]

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions