CVE-2026-33128

Name of the Vulnerable Software and Affected Versions H3 versions prior to 1.15.6 and versions 2.0.0 through 2.0.1-rc.14

Description The createEventStream function in H3 is susceptible to Server-Sent Events (SSE) injection due to a lack of newline sanitization within the formatEventStreamMessage() and formatEventStreamComment() functions. An attacker controlling any part of an SSE message field – id, event, data, or comment – can inject arbitrary SSE events to connected clients. The SSE protocol relies on newline characters as field delimiters and double newlines as event separators. The absence of newline sanitization allows attackers to inject new fields, events, manipulate reconnection behavior, and override the Last-Event-ID. This can lead to cross-user content injection, phishing attacks, event spoofing, denial-of-service through aggressive reconnection attempts, and manipulation of event replay on reconnection. The issue resides in src/utils/internal/event-stream.ts, lines 170-187.

Recommendations Versions prior to 1.15.6 should be updated to version 1.15.6 or later. Versions 2.0.0 through 2.0.1-rc.14 should be updated to version 2.0.1-rc.15 or later.