Description
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
Published: 2026-03-20
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure via Timing Side-Channel
Action: Patch
AI Analysis

Impact

H3, a minimal HTTP framework, contains a timing side‑channel in its basic authentication function caused by the use of an unsafe string comparison (!==). The vulnerability allows an attacker to measure the server’s response time for successive password attempts and deduce each password character one at a time, effectively bypassing password complexity protections and exposing the credentials.

Affected Systems

The vulnerable H3 library (h3js:h3) is affected in versions 2.0.1-beta.0 through 2.0.0-rc.8. The issue is fixed in version 2.0.1-rc.9 and later. These versions run in Node.js environments.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% signals a low likelihood of exploitation. This vulnerability is not listed in the CISA KEV catalog. An attacker would need remote network access to an HTTP server that uses H3 basic authentication; by repeatedly sending credential guesses and monitoring response times, they could recover valid passwords character by character. The attack requires no special privileges and relies solely on measurable timing differences.

Generated by OpenCVE AI on March 20, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade h3 to version 2.0.1-rc.9 or later, which contains the patch that implements a constant‑time comparison for basic authentication.

Generated by OpenCVE AI on March 20, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-26f5-8h2x-34xh h3 has an observable timing discrepancy in basic auth utils
History

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared H3
H3 h3
CPEs cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*
cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*
Vendors & Products H3
H3 h3

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared H3js
H3js h3
Vendors & Products H3js
H3js h3

Fri, 20 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Description H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
Title h3 has an observable timing discrepancy in basic auth utils
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T19:33:49.871Z

Reserved: 2026-03-17T20:35:49.927Z

Link: CVE-2026-33129

cve-icon Vulnrichment

Updated: 2026-03-20T19:33:40.303Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T10:16:19.317

Modified: 2026-03-20T19:58:02.500

Link: CVE-2026-33129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:39Z

Weaknesses