GHSA-q5pr-72pq-83v3: H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service

March 23, 2026

The setChunkedCookie() and deleteChunkedCookie() functions in h3 trust the chunk count parsed from a user-controlled cookie value (__chunked__N) without any upper bound validation. An unauthenticated attacker can send a single request with a crafted cookie header (e.g., Cookie: h3=__chunked__999999) to any endpoint using sessions, causing the server to enter an O(n²) loop that hangs the process.

References

github.com/advisories/GHSA-q5pr-72pq-83v3
github.com/h3js/h3
github.com/h3js/h3/security/advisories/GHSA-q5pr-72pq-83v3

Code Behaviors & Features

Detect and mitigate GHSA-q5pr-72pq-83v3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →