CVE-2026-33129 (GCVE-0-2026-33129)
Vulnerability from cvelistv5 – Published: 2026-03-20 09:41 – Updated: 2026-03-20 19:33
VLAI?
Title
h3 has an observable timing discrepancy in basic auth utils
Summary
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
Severity ?
5.9 (Medium)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33129",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T19:33:14.795855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T19:33:49.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "h3",
"vendor": "h3js",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.1-beta.0, \u003c 2.0.1-rc.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server\u0027s response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T09:41:21.933Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh"
},
{
"name": "https://github.com/h3js/h3/pull/1283",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/h3js/h3/pull/1283"
},
{
"name": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9"
}
],
"source": {
"advisory": "GHSA-26f5-8h2x-34xh",
"discovery": "UNKNOWN"
},
"title": "h3 has an observable timing discrepancy in basic auth utils"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33129",
"datePublished": "2026-03-20T09:41:21.933Z",
"dateReserved": "2026-03-17T20:35:49.927Z",
"dateUpdated": "2026-03-20T19:33:49.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33129\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T10:16:19.317\",\"lastModified\":\"2026-03-20T19:58:02.500\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server\u0027s response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.\"},{\"lang\":\"es\",\"value\":\"H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.1-beta.0 hasta la 2.0.0-rc.8 contienen una vulnerabilidad de canal lateral de tiempo en la funci\u00f3n requireBasicAuth debido al uso de una comparaci\u00f3n de cadenas insegura (!==). Esto permite a un atacante deducir la contrase\u00f1a v\u00e1lida car\u00e1cter por car\u00e1cter midiendo el tiempo de respuesta del servidor, eludiendo eficazmente las protecciones de complejidad de la contrase\u00f1a. Este problema est\u00e1 solucionado en la versi\u00f3n 2.0.1-rc.9.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-208\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"A80DE960-665D-4590-B6D5-645099B808E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"910077BC-C84C-4CAB-A0A5-761047F6F43C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C5E7779A-00CA-45E7-8F68-1DAB5388ED4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"064C21F5-8633-45F3-9A3D-3FB029A867B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"496314A3-8F2B-4274-9D0D-7F11E896FEA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"35F49342-D52C-4762-9369-F380C5E7E0B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"D11CA1A7-3141-46EA-9687-32C333FC7B0C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"A4A6FD03-5DE5-4D73-9FF3-BB653302C60B\"}]}]}],\"references\":[{\"url\":\"https://github.com/h3js/h3/pull/1283\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33129\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T19:33:14.795855Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T19:33:40.303Z\"}}], \"cna\": {\"title\": \"h3 has an observable timing discrepancy in basic auth utils\", \"source\": {\"advisory\": \"GHSA-26f5-8h2x-34xh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"h3js\", \"product\": \"h3\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0.1-beta.0, \u003c 2.0.1-rc.9\"}]}], \"references\": [{\"url\": \"https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh\", \"name\": \"https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/h3js/h3/pull/1283\", \"name\": \"https://github.com/h3js/h3/pull/1283\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9\", \"name\": \"https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server\u0027s response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-208\", \"description\": \"CWE-208: Observable Timing Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T09:41:21.933Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33129\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T19:33:49.871Z\", \"dateReserved\": \"2026-03-17T20:35:49.927Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T09:41:21.933Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…