216.73.216.133

CVE-2026-33129

· Published 20/03/2026 10:16 · Modified 20/03/2026 19:58

Labels: CVE-2026-33129 2026-03-20CVE-2026-33129CWE-208[email protected]

Essential information

Published
20/03/2026 10:16
Modified
20/03/2026 19:58
Author
Creator
CVSS
5.9 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
h3 / h3 cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*
h3 / h3 cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*
h3 / h3 cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*
h3 / h3 cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*
h3 / h3 cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*
h3 / h3 cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*
h3 / h3 cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*
h3 / h3 cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*
h3 / h3 cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*

References