CVE-2026-33129
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 npm packages depend on h3 (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.0.0-beta.0.
DescriptionGitHub Advisory
Summary
A Timing Side-Channel vulnerability exists in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections.
Details
The vulnerability is located in the requireBasicAuth function. The code performs a standard string comparison between the user-provided password and the expected password:
~~~typescript if (opts.password && password !== opts.password) { throw autheFailed(event, opts?.realm); } ~~~
In V8 (and most runtime environments), the !== operator is optimized to "fail fast." It stops execution and returns false as soon as it encounters the first mismatched byte.
- If the first character is wrong, it returns immediately.
- If the first character is correct but the second is wrong, it takes slightly longer.
By statistically analyzing these minute timing differences over many requests, an attacker can determine the correct password one character at a time.
PoC
This vulnerability is exploitable in real-world scenarios without direct access to the server machine.
To reproduce this, an attacker can send two packets (or bursts of packets) at the exact same time:
- Packet A: Contains a password that is known to be incorrect starting at the first character (e.g.,
AAAA...). - Packet B: Contains a password where the first character is a guess (e.g.,
B...).
By measuring the time-to-first-byte (TTFB) or total response time of these concurrent requests, the attacker can filter out network jitter. If Packet B takes consistently longer to return than Packet A, the first character is confirmed as correct. This process is repeated for the second character, and so on. Tests confirm this timing difference is statistically consistent enough to recover credentials remotely.
Impact
This vulnerability allows remote attackers to recover passwords. While network jitter makes this difficult over the internet, it is highly effective in local networks or cloud environments where the attacker is co-located. It reduces the complexity of cracking a password from exponential (guessing the whole string) to linear (guessing one char at a time).
AnalysisAI
A timing side-channel vulnerability exists in the h3 npm package's requireBasicAuth function, where unsafe string comparison using the !== operator allows attackers to deduce valid passwords character-by-character by measuring server response times. This affects all versions of h3 that implement this vulnerable authentication mechanism, and while a proof-of-concept exists demonstrating feasibility in local/co-located network environments, the attack requires statistical analysis over multiple requests and is significantly hampered by network jitter in internet-scale scenarios. The CVSS score of 5.9 reflects high confidentiality impact but high attack complexity, placing this in moderate-priority territory despite the linear password recovery capability.
Technical ContextAI
The vulnerability resides in the h3 library (pkg:npm/h3), which is a minimalist HTTP framework for JavaScript/TypeScript. The affected requireBasicAuth function performs HTTP Basic Authentication validation by directly comparing user-supplied credentials against expected values using the strict inequality operator !==. This operator, as implemented in the V8 JavaScript engine and most runtime environments, exhibits early-exit behavior—the comparison terminates as soon as the first mismatched byte is encountered rather than comparing the entire string in constant time. This is an instance of CWE-208 (Observable Timing Discrepancy), a class of side-channel vulnerabilities where information is leaked through measurable differences in execution time. The root cause is the absence of a constant-time comparison function (such as timingSafeEqual in Node.js crypto module) that would mask timing differences regardless of where the first mismatch occurs.
RemediationAI
The primary remediation is to upgrade to a patched version of h3 that replaces the unsafe !== comparison with a constant-time comparison function. Consult the h3 GitHub security advisory at https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh for the minimum patched version number and upgrade accordingly. If immediate patching is not feasible, implement compensating controls: restrict network access to the authentication endpoint using firewall rules or reverse proxy ACLs to limit the attack surface to trusted administrative networks; enforce rate-limiting on failed authentication attempts to increase the statistical noise and time required for a timing attack; deploy the service behind a reverse proxy (such as nginx) configured with connection pooling and response buffering to further mask timing variations; and enable HTTPS with HSTS to prevent man-in-the-middle timing measurement. These mitigations do not eliminate the vulnerability but raise the practical bar for exploitation significantly.
Same weakness CWE-208 – Observable Timing Discrepancy
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-26f5-8h2x-34xh