CVE-2026-33129

{"id": "CVE-2026-33129", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2026-03-20T10:16:19.317", "references": [{"url": "https://github.com/h3js/h3/pull/1283", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. Las versiones 2.0.1-beta.0 hasta la 2.0.0-rc.8 contienen una vulnerabilidad de canal lateral de tiempo en la funci\u00f3n requireBasicAuth debido al uso de una comparaci\u00f3n de cadenas insegura (!==). Esto permite a un atacante deducir la contrase\u00f1a v\u00e1lida car\u00e1cter por car\u00e1cter midiendo el tiempo de respuesta del servidor, eludiendo eficazmente las protecciones de complejidad de la contrase\u00f1a. Este problema est\u00e1 solucionado en la versi\u00f3n 2.0.1-rc.9."}], "lastModified": "2026-03-20T19:58:02.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "910077BC-C84C-4CAB-A0A5-761047F6F43C"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C"}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}