Listen to this Post
How the CVE Works
The vulnerability exists in how h3 handles chunked cookies. The `getChunkedCookieCount()` function parses a user-controlled value from the `__chunked__N` cookie sentinel without any upper bound validation. This parsed integer is then used to determine the number of cleanup loops in `setChunkedCookie()` and deleteChunkedCookie(). When an attacker sends a request with a crafted cookie like h3=__chunked__999999, the server reads this value. During session initialization, it calls setChunkedCookie(), which enters a cleanup loop based on the attacker-controlled count. For each of the 999,998 iterations, it calls deleteCookie(), which in turn calls setCookie(). Each `setCookie()` call scans all existing `set-cookie` headers for deduplication, creating an O(n²) complexity. This results in approximately 10¹² operations from a single 27-byte request, causing the single-threaded Node.js process to hang indefinitely, leading to a complete denial of service.
dailycve form
Platform: h3 framework
Version: All vulnerable
Vulnerability: Unvalidated chunk count
Severity: Critical
date: 2026-03-24
Prediction: Patch within days
What Undercode Say:
PoC to demonstrate DoS curl -H 'Cookie: h3=__chunked__100000' http://localhost:3000/dashboard
// Vulnerable code snippet in src/utils/cookie.ts:244-249
function getChunkedCookieCount(cookie: string | undefined): number {
if (!cookie?.startsWith(CHUNKED_COOKIE)) {
return Number.NaN;
}
return Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));
// No upper bound check — attacker controls this value
}
Exploit:
An unauthenticated attacker sends a single HTTP request containing the `Cookie: h3=__chunked__999999` header to any endpoint that uses getSession(), useSession(), or clearSession(). The server processes the cookie, enters an O(n²) cleanup loop based on the attacker-supplied value (999,999), and hangs indefinitely, blocking all other requests.
Protection from this CVE
Apply the recommended fix by adding a maximum chunk count constant (e.g., 100) and validating the parsed value in getChunkedCookieCount(), returning `NaN` for values exceeding the limit. This caps the loop iterations and prevents the DoS.
Impact
- Denial of Service: Single request hangs the server process.
- No Authentication: Attack requires only a crafted cookie header.
- Minimal Effort: Small payload with massive amplification.
- Wide Attack Surface: Any endpoint using sessions is vulnerable.
- Resource Exhaustion: Billions of server operations from 27 bytes.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

