VYPR
Moderate severityNVD Advisory· Published Mar 20, 2026· Updated Mar 20, 2026

h3 has an observable timing discrepancy in basic auth utils

CVE-2026-33129

Description

H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
h3npm
>= 2.0.0-beta.0, < 2.0.1-rc.92.0.1-rc.9

Affected products

2
  • ghsa-coords
    Range: >= 2.0.0-beta.0, < 2.0.1-rc.9
  • h3js/h3v5
    Range: >= 2.0.1-beta.0, < 2.0.1-rc.9

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.