CVE-2026-33129

MEDIUM

h3 has an observable timing discrepancy in basic auth utils

Title source: cna

Description

H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.

References (3)

[X_Refsource_Confirm] https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh

[X_Refsource_Misc] https://github.com/h3js/h3/pull/1283

[X_Refsource_Misc] https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9

Scores

CVSS v3 5.9

EPSS 0.0004

EPSS Percentile 11.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-208

Status published

Products (4)

h3/h3 2.0.0

h3/h3 2.0.1 rc1 (8 CPE variants)

h3js/h3 >= 2.0.1-beta.0, < 2.0.1-rc.9

npm/h3 2.0.0-beta.0 - 2.0.1-rc.9npm

Published Mar 20, 2026

Tracked Since Mar 20, 2026