{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33129", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.927Z", "datePublished": "2026-03-20T09:41:21.933Z", "dateUpdated": "2026-03-20T19:33:49.871Z"}, "containers": {"cna": {"title": "h3 has an observable timing discrepancy in basic auth utils", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh"}, {"name": "https://github.com/h3js/h3/pull/1283", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/pull/1283"}, {"name": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": ">= 2.0.1-beta.0, < 2.0.1-rc.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:41:21.933Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."}], "source": {"advisory": "GHSA-26f5-8h2x-34xh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T19:33:14.795855Z", "id": "CVE-2026-33129", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:33:49.871Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33129", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T19:33:14.795855Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:33:40.303Z"}}], "cna": {"title": "h3 has an observable timing discrepancy in basic auth utils", "source": {"advisory": "GHSA-26f5-8h2x-34xh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": ">= 2.0.1-beta.0, < 2.0.1-rc.9"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh", "name": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/h3js/h3/pull/1283", "name": "https://github.com/h3js/h3/pull/1283", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9", "name": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:41:21.933Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33129", "state": "PUBLISHED", "dateUpdated": "2026-03-20T19:33:49.871Z", "dateReserved": "2026-03-17T20:35:49.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T09:41:21.933Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*", "matchCriteriaId": "910077BC-C84C-4CAB-A0A5-761047F6F43C", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.1-beta.0 hasta la 2.0.0-rc.8 contienen una vulnerabilidad de canal lateral de tiempo en la funci\u00f3n requireBasicAuth debido al uso de una comparaci\u00f3n de cadenas insegura (!==). Esto permite a un atacante deducir la contrase\u00f1a v\u00e1lida car\u00e1cter por car\u00e1cter midiendo el tiempo de respuesta del servidor, eludiendo eficazmente las protecciones de complejidad de la contrase\u00f1a. Este problema est\u00e1 solucionado en la versi\u00f3n 2.0.1-rc.9."}], "id": "CVE-2026-33129", "lastModified": "2026-03-20T19:58:02.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T10:16:19.317", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/h3js/h3/pull/1283"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.1-beta.0,2.0.1-rc.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "h3", "source": "cna", "vendor": "h3js"}, "product": "h3", "vendor": "h3js"}], "analysis": {"en": {"generated_at": "2026-03-20T21:25:33.070629+00:00", "value": {"mitigation_remediation": ["Upgrade h3 to version 2.0.1-rc.9 or later, which contains the patch that implements a constant\u2011time comparison for basic authentication."], "summary": {"action": "Patch", "impact": "Credential Disclosure via Timing Side-Channel"}, "threat_synthesis": {"affected_systems": "The vulnerable H3 library (h3js:h3) is affected in versions 2.0.1-beta.0 through 2.0.0-rc.8. The issue is fixed in version 2.0.1-rc.9 and later. These versions run in Node.js environments.", "description_and_impact": "H3, a minimal HTTP framework, contains a timing side\u2011channel in its basic authentication function caused by the use of an unsafe string comparison (!==). The vulnerability allows an attacker to measure the server\u2019s response time for successive password attempts and deduce each password character one at a time, effectively bypassing password complexity protections and exposing the credentials.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% signals a low likelihood of exploitation. This vulnerability is not listed in the CISA KEV catalog. An attacker would need remote network access to an HTTP server that uses H3 basic authentication; by repeatedly sending credential guesses and monitoring response times, they could recover valid passwords character by character. The attack requires no special privileges and relies solely on measurable timing differences."}}}}, "created": "2026-03-20T14:13:52.367326+00:00", "updated": "2026-03-25T14:29:39.582217+00:00", "vendors": ["h3js", "h3js$PRODUCT$h3"]}