## H3 Framework 'serveStatic' Vulnerability (GHSA-72gr-qfp7-vwhw) Exposes Path Traversal Risk
A medium-severity vulnerability in the popular H3 web framework's `serveStatic` utility creates a path traversal risk, potentially allowing attackers to access sensitive files on servers using affected versions. The flaw, tracked as GHSA-72gr-qfp7-vwhw, stems from a redundant `decodeURI()` call that enables bypassing built-in security checks.

The vulnerability exists in H3 versions prior to 1.15.9. The `serveStatic` utility incorrectly applies a second `decodeURI()` call to request pathnames after the `H3Event` has already performed percent-decoding. This double decoding converts sequences like `%252e%252e` into `%2e%2e`, which then bypasses the framework's `resolveDotSegments()` function. The security check looks for literal dot characters (`.`) but fails to recognize their percent-encoded equivalents, creating a critical oversight in path sanitization.

When the manipulated asset ID is passed to URL-based backends—such as CDNs, Amazon S3, or other object storage systems—the `%2e%2e` sequence is interpreted as directory traversal (`..`). This could allow unauthorized access to files outside the intended static serving directory. The vulnerability has been fixed in H3 version 1.15.9, and developers are urged to upgrade immediately. Projects using `pnpm-lock.yaml` or similar dependency files should verify their installed H3 version and apply the patch to mitigate this server-side security risk.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, web-framework, vulnerability, path-traversal, npm
- **Credibility**: unverified
- **Published**: 2026-04-21 04:22:40
- **ID**: 73531
- **URL**: https://whisperx.ai/en/intel/73531