GHSA-fp4x-ggrf-wmc6: H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation

March 23, 2026

The redirectBack() utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths (starting with //). An attacker can craft a same-origin URL with a double-slash path segment that passes the origin check but produces a Location header interpreted by browsers as a protocol-relative redirect to an external domain.

References

github.com/advisories/GHSA-fp4x-ggrf-wmc6
github.com/h3js/h3
github.com/h3js/h3/commit/459a1c6593365b0810e9c502df7c3e82837321d7
github.com/h3js/h3/releases/tag/v2.0.1-rc.18
github.com/h3js/h3/security/advisories/GHSA-fp4x-ggrf-wmc6

Code Behaviors & Features

Detect and mitigate GHSA-fp4x-ggrf-wmc6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →