CVE-2026-33129 PUBLISHED

h3 has an observable timing discrepancy in basic auth utils

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 20.03.2026 Updated: 20.03.2026

H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	h3js
Product	h3
Versions	Version >= 2.0.1-beta.0, < 2.0.1-rc.9 is affected

References

Problem Types

CWE-208: Observable Timing Discrepancy CWE