CVE-2026-33129

Name of the Vulnerable Software and Affected Versions H3 versions 2.0.1-beta.0 through 2.0.0-rc.8

Description H3 is a minimal H(TTP) framework. A Timing Side-Channel issue exists in the requireBasicAuth function because of the use of an unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, bypassing password complexity protections. The code performs a string comparison between the provided password and the expected password. The !== operator is optimized to "fail fast," returning false as soon as a mismatch is found. By analyzing timing differences in responses to requests with slightly varying passwords, an attacker can determine the correct password one character at a time. This is effective in local networks or cloud environments where the attacker is co-located. The vulnerability is exploitable remotely. The vulnerable function is requireBasicAuth.

Recommendations Update to version 2.0.1-rc.9 or later.