5.9

CVE-2026-33129

Exploit
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
H3H3 Version2.0.0 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc1 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc2 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc3 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc4 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc5 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc6 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc7 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc8 SwPlatformnode.js
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.105
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.