CVE-2026-33129
MEDIUM EPSS 23.6%
Published Mar 20, 20263mo ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Published Mar 20, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago
Description
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
23.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-208
Affected Products 9
References 3
- github.com https://github.com/h3js/h3/pull/1283
- github.com https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9
- github.com https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh
Remediation
- github.com https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9