Description
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Sent Events Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the h3 HTTP framework allows an attacker who can control any part of a Server‑Sent Events (SSE) message field—id, event, data, or comment—to inject arbitrary SSE content into the stream sent to clients. The missing newline sanitization in the formatting functions lets injected characters be interpreted as new events, potentially delivering malicious payloads to browser‑based clients. This flaw is classified as CWE‑93, indicating that input is placed in an HTTP response without proper contextual escaping.

Affected Systems

Affects the h3 framework distributed by h3js. All releases before 1.15.6, and releases from 2.0.0 up to 2.0.1‑rc14, are vulnerable. Versions 1.15.6 and 2.0.1‑rc15 or later contain the fix. The vulnerability resides in the SSE implementation used by the framework.

Risk and Exploitability

The CVSS score of 7.5 marks it as high severity. The EPSS score is less than 1 % and the issue is not listed in CISA’s KEV catalog, suggesting a low exploitation probability but still realistic. Exploitation can be performed remotely by an attacker who can influence the content of an SSE message—for example, through a malicious upstream data source or crafted request. The impact is limited to clients consuming the SSE stream; compromised clients could execute injected scripts or otherwise be manipulated. Client‑side code has no need for elevated server privileges, making remote exploitation feasible for attackers with network access to the SSE endpoint.

Generated by OpenCVE AI on March 20, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the h3 package to at least version 1.15.6 or 2.0.1‑rc15 to apply the newline sanitization fix.
  • If updating is not immediately possible, restrict or block access to the SSE endpoint, or remove SSE functionality from production until the patch is available.
  • As a temporary workaround, ensure any application code that generates SSE messages removes or escapes newline characters from the id, event, data, and comment fields before passing them to the formatter.

Generated by OpenCVE AI on March 20, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-22cc-p3c6-wpvm h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
History

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared H3
H3 h3
CPEs cpe:2.3:a:h3:h3:*:*:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*
Vendors & Products H3
H3 h3

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared H3js
H3js h3
Vendors & Products H3js
H3js h3

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
Title h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T11:40:27.956Z

Reserved: 2026-03-17T20:35:49.927Z

Link: CVE-2026-33128

cve-icon Vulnrichment

Updated: 2026-03-20T11:40:21.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T10:16:19.160

Modified: 2026-03-20T20:00:21.330

Link: CVE-2026-33128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:40Z

Weaknesses