h3 has an observable timing discrepancy in basic auth utils

Vulnerability

Overview

CVE-2026-33129 is a timing side-channel vulnerability in the H3 minimal HTTP framework, affecting versions 2.0.1-beta.0 through 2.0.0-rc.8. The flaw resides in the requireBasicAuth function, which uses the !== operator for string comparison. This operator is optimized to "fail fast" in V8 and most runtimes, returning immediately upon the first mismatched byte, thereby introducing measurable timing differences based on how many characters match [1][3].

Exploitation

Method

An attacker can exploit this by sending two concurrent requests: one with a password known to be incorrect from the first character (e.g., "AAAA...") and another with a guessed password. By measuring the time-to-first-byte (TTFB) or total response time, the attacker can statistically determine if the first character of the guessed password is correct. Repeating this process character-by-character allows full password recovery. The GitHub Security Advisory provides a detailed proof-of-concept demonstrating that this timing difference is statistically consistent even over remote networks, especially in local or cloud environments where network jitter is minimal [3].

Impact

Successful exploitation enables remote attackers to recover passwords without needing direct access to the server. While network jitter can complicate attacks over the internet, the vulnerability is highly effective in controlled environments, effectively bypassing password complexity protections [1][3].

Mitigation

The issue is fixed in version 2.0.1-rc.9. The fix introduces a constant-time string comparison function (timingSafeEqual) and a random jitter delay (0–99ms) before failing authentication, as implemented in pull request #1283 [2]. Users are advised to upgrade immediately.