CVE-2026-33129
published 2026-03-20CVE-2026-33129: H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to…
PriorityP434medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.32%
23.6th percentile
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h3 | h3 | — | — |
| h3 | h3 | — | — |
| h3 | h3 | >= 2.0.0-beta.0 < 2.0.1-rc.9 | 2.0.1-rc.9 |
| h3js | h3 | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
h3 has an observable timing discrepancy in basic auth utils
ghsa·2026-03-18
CVE-2026-33129 [MEDIUM] CWE-208 h3 has an observable timing discrepancy in basic auth utils
h3 has an observable timing discrepancy in basic auth utils
### Summary
A Timing Side-Channel vulnerability exists in the `requireBasicAuth` function due to the use of unsafe string comparison (`!==`). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections.
### Details
The vulnerability is located in the `requireBasicAuth` function. The code performs a standard string comparison between the user-provided password and the expected password:
~~~typescript
if (opts.password && password !== opts.password) {
throw autheFailed(event, opts?.realm);
}
~~~
In V8 (and most runtime environments), the `!==` operator is optimized to "fail fast." It stops execution and returns `false`
OSV
h3 has an observable timing discrepancy in basic auth utils
osv·2026-03-18
CVE-2026-33129 [MEDIUM] h3 has an observable timing discrepancy in basic auth utils
h3 has an observable timing discrepancy in basic auth utils
### Summary
A Timing Side-Channel vulnerability exists in the `requireBasicAuth` function due to the use of unsafe string comparison (`!==`). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections.
### Details
The vulnerability is located in the `requireBasicAuth` function. The code performs a standard string comparison between the user-provided password and the expected password:
~~~typescript
if (opts.password && password !== opts.password) {
throw autheFailed(event, opts?.realm);
}
~~~
In V8 (and most runtime environments), the `!==` operator is optimized to "fail fast." It stops execution and returns `false`
No detection rules found.
No public exploits indexed.
2026-03-20
Published