h3, Denial of Service, CVE-2024-0000 (Critical)

Listen to this Post

How the CVE Works

The vulnerability exists in how h3 handles chunked cookies. The `getChunkedCookieCount()` function parses a user-controlled value from the `__chunked__N` cookie sentinel without any upper bound validation. This parsed integer is then used to determine the number of cleanup loops in `setChunkedCookie()` and deleteChunkedCookie(). When an attacker sends a request with a crafted cookie like h3=__chunked__999999, the server reads this value. During session initialization, it calls setChunkedCookie(), which enters a cleanup loop based on the attacker-controlled count. For each of the 999,998 iterations, it calls deleteCookie(), which in turn calls setCookie(). Each `setCookie()` call scans all existing `set-cookie` headers for deduplication, creating an O(n²) complexity. This results in approximately 10¹² operations from a single 27-byte request, causing the single-threaded Node.js process to hang indefinitely, leading to a complete denial of service.

dailycve form

Platform: h3 framework
Version: All vulnerable
Vulnerability: Unvalidated chunk count
Severity: Critical
date: 2026-03-24

Prediction: Patch within days

What Undercode Say:

PoC to demonstrate DoS
curl -H 'Cookie: h3=__chunked__100000' http://localhost:3000/dashboard
// Vulnerable code snippet in src/utils/cookie.ts:244-249
function getChunkedCookieCount(cookie: string | undefined): number {
if (!cookie?.startsWith(CHUNKED_COOKIE)) {
return Number.NaN;
}
return Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));
// No upper bound check — attacker controls this value
}

Exploit:

An unauthenticated attacker sends a single HTTP request containing the `Cookie: h3=__chunked__999999` header to any endpoint that uses getSession(), useSession(), or clearSession(). The server processes the cookie, enters an O(n²) cleanup loop based on the attacker-supplied value (999,999), and hangs indefinitely, blocking all other requests.

Protection from this CVE

Apply the recommended fix by adding a maximum chunk count constant (e.g., 100) and validating the parsed value in getChunkedCookieCount(), returning `NaN` for values exceeding the limit. This caps the loop iterations and prevents the DoS.

Impact

  • Denial of Service: Single request hangs the server process.
  • No Authentication: Attack requires only a crafted cookie header.
  • Minimal Effort: Small payload with massive amplification.
  • Wide Attack Surface: Any endpoint using sessions is vulnerable.
  • Resource Exhaustion: Billions of server operations from 27 bytes.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top