GHSA-wr4h-v87w-p3r7: h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read

March 18, 2026

serveStatic() in h3 is vulnerable to path traversal via percent-encoded dot segments (%2e%2e), allowing an unauthenticated attacker to read arbitrary files outside the intended static directory on Node.js deployments.

References

github.com/advisories/GHSA-wr4h-v87w-p3r7
github.com/h3js/h3
github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/static.ts
github.com/h3js/h3/commit/0e751b4059060f2ade01a0bdfd96b0f5ffc8a26d
github.com/h3js/h3/security/advisories/GHSA-wr4h-v87w-p3r7

Code Behaviors & Features

Detect and mitigate GHSA-wr4h-v87w-p3r7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →