5.9

CVE-2026-33129

Exploit

h3 has an observable timing discrepancy in basic auth utils

H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
H3H3 Version2.0.0 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc1 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc2 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc3 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc4 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc5 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc6 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc7 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc8 SwPlatformnode.js
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.32% 0.234
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh
Vendor Advisory
Exploit
https://github.com/h3js/h3/pull/1283
Issue Tracking
https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9
Patch