CVE-2026-33128

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187	Product
https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6	Patch
https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:h3:h3::::::node.js::*
	cpe:2.3:a:h3:h3:2.0.0:::::node.js::
	cpe:2.3:a:h3:h3:2.0.1:rc10::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc11::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc12::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc13::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc14::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc2::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc3::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc4::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc5::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc6::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc7::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc8::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc9::::node.js::*

History

No history.

Information

Published : 2026-03-20 10:16

Updated : 2026-03-20 20:00

NVD link : CVE-2026-33128

Mitre link : CVE-2026-33128

CVE.ORG link : CVE-2026-33128

JSON object : View

Products Affected

h3

h3

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

{"id": "CVE-2026-33128", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T10:16:19.160", "references": [{"url": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-93"}]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. En versiones anteriores a la 1.15.6 y entre la 2.0.0 y la 2.0.1-rc.14, createEventStream es vulnerable a la inyecci\u00f3n de Eventos Enviados por el Servidor (SSE) debido a la falta de saneamiento de nueva l\u00ednea en formatEventStreamMessage() y formatEventStreamComment(). Un atacante que controla cualquier parte de un campo de mensaje SSE (id, evento, datos o comentario) puede inyectar eventos SSE arbitrarios a los clientes conectados. Este problema est\u00e1 solucionado en las versiones 1.15.6 y 2.0.1-rc.15."}], "lastModified": "2026-03-20T20:00:21.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8B8C8545-3682-40FD-A897-6729997A94E7", "versionEndExcluding": "1.15.6"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5E404148-6862-44F5-961D-10E8A742A4B6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}