CVE-2026-33129
h3 has an observable timing discrepancy in basic auth utils
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
8th
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
| CWE | CWE-208 |
| Vendor | h3js |
| Product | h3 |
| Published | Mar 20, 2026 |
| Last Updated | Mar 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for h3js h3
Be the first to know when new medium vulnerabilities affecting h3js h3 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
h3js / h3
>= 2.0.1-beta.0, < 2.0.1-rc.9