CVE-2026-33129

H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/h3js/h3/pull/1283	Issue Tracking
https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9	Patch
https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:h3:h3:2.0.0:::::node.js::
	cpe:2.3:a:h3:h3:2.0.1:rc1::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc2::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc3::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc4::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc5::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc6::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc7::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc8::::node.js::*

History

No history.

Information

Published : 2026-03-20 10:16

Updated : 2026-03-20 19:58

NVD link : CVE-2026-33129

Mitre link : CVE-2026-33129

CVE.ORG link : CVE-2026-33129

JSON object : View

Products Affected

h3

h3

CWE

CWE-208

Observable Timing Discrepancy

{"id": "CVE-2026-33129", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2026-03-20T10:16:19.317", "references": [{"url": "https://github.com/h3js/h3/pull/1283", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.1-beta.0 hasta la 2.0.0-rc.8 contienen una vulnerabilidad de canal lateral de tiempo en la funci\u00f3n requireBasicAuth debido al uso de una comparaci\u00f3n de cadenas insegura (!==). Esto permite a un atacante deducir la contrase\u00f1a v\u00e1lida car\u00e1cter por car\u00e1cter midiendo el tiempo de respuesta del servidor, eludiendo eficazmente las protecciones de complejidad de la contrase\u00f1a. Este problema est\u00e1 solucionado en la versi\u00f3n 2.0.1-rc.9."}], "lastModified": "2026-03-20T19:58:02.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "910077BC-C84C-4CAB-A0A5-761047F6F43C"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}