{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33129", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.927Z", "datePublished": "2026-03-20T09:41:21.933Z", "dateUpdated": "2026-03-20T19:33:49.871Z"}, "containers": {"cna": {"title": "h3 has an observable timing discrepancy in basic auth utils", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh"}, {"name": "https://github.com/h3js/h3/pull/1283", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/pull/1283"}, {"name": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": ">= 2.0.1-beta.0, < 2.0.1-rc.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:41:21.933Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."}], "source": {"advisory": "GHSA-26f5-8h2x-34xh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T19:33:14.795855Z", "id": "CVE-2026-33129", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:33:49.871Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33129", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T19:33:14.795855Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:33:40.303Z"}}], "cna": {"title": "h3 has an observable timing discrepancy in basic auth utils", "source": {"advisory": "GHSA-26f5-8h2x-34xh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": ">= 2.0.1-beta.0, < 2.0.1-rc.9"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh", "name": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/h3js/h3/pull/1283", "name": "https://github.com/h3js/h3/pull/1283", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9", "name": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:41:21.933Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33129", "state": "PUBLISHED", "dateUpdated": "2026-03-20T19:33:49.871Z", "dateReserved": "2026-03-17T20:35:49.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T09:41:21.933Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*", "matchCriteriaId": "910077BC-C84C-4CAB-A0A5-761047F6F43C", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.1-beta.0 hasta la 2.0.0-rc.8 contienen una vulnerabilidad de canal lateral de tiempo en la funci\u00f3n requireBasicAuth debido al uso de una comparaci\u00f3n de cadenas insegura (!==). Esto permite a un atacante deducir la contrase\u00f1a v\u00e1lida car\u00e1cter por car\u00e1cter midiendo el tiempo de respuesta del servidor, eludiendo eficazmente las protecciones de complejidad de la contrase\u00f1a. Este problema est\u00e1 solucionado en la versi\u00f3n 2.0.1-rc.9."}], "id": "CVE-2026-33129", "lastModified": "2026-03-20T19:58:02.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T10:16:19.317", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/h3js/h3/pull/1283"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.1-beta.0,2.0.1-rc.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "h3", "source": "cna", "vendor": "h3js"}, "product": "h3", "vendor": "h3js"}], "analysis": {"en": {"generated_at": "2026-03-20T11:21:59.610087+00:00", "value": {"mitigation_remediation": ["Update H3 library to version 2.0.1-rc.9 or later", "Verify that the upgraded library is used in all deployments", "Check for updates regularly"], "summary": {"action": "Update Library", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is h3js:h3. Versions from 2.0.1\u2011beta.0 through 2.0.0\u2011rc.8 are impacted. Version 2.0.1\u2011rc.9 and later contain the fix.", "description_and_impact": "The vulnerability is a timing side\u2011channel in H3's requireBasicAuth function caused by an unsafe string comparison. An attacker measuring response times can deduce a correct password character one at a time. The effect is that an attacker can bypass password complexity and potentially obtain the full password, leading to unauthorized access. The weakness is identified as CWE\u2011208 \u2013 timing side\u2011channel.", "risk_and_exploitability": "The CVSS v3.1 score is 5.9, indicating a moderate risk. EPSS score is not available, so no quantitative likelihood is provided. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote traffic to a server running the vulnerable library; an attacker must send HTTP requests that trigger the authentication routine and measure timestamps. If successful, they can reconstruct the password, granting compromise of the affected service."}}}}, "created": "2026-03-20T14:13:52.367326+00:00", "updated": "2026-03-20T16:27:28.608632+00:00", "vendors": ["h3js", "h3js$PRODUCT$h3"]}