CVE-2026-33128

HIGH

h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

Title source: cna

Description

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.

References (3)

[X_Refsource_Confirm] https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm

[X_Refsource_Misc] https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 5.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (6)

h3/h3 2.0.0

h3/h3 2.0.1 rc10 (13 CPE variants)

h3/h3 < 1.15.6

h3js/h3 < 1.15.6

h3js/h3 >= 2.0.0, < 2.0.1-rc.15

npm/h3 2.0.0 - 2.0.1-rc.15npm

Published Mar 20, 2026

Tracked Since Mar 20, 2026