CVE-2026-33128
Received Received - Intake
SSE Injection in H3 Framework's createEventStream Function

Publication date: 2026-03-20

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33128
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
h3 h3 2.0.0
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 2.0.1
h3 h3 to 1.15.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33128 is a Server-Sent Events (SSE) injection vulnerability in the h3 framework's createEventStream function. It occurs because the functions formatEventStreamMessage() and formatEventStreamComment() do not sanitize newline characters in SSE message fields such as id, event, data, or comment."}, {'type': 'paragraph', 'content': 'Since the SSE protocol uses newlines to separate fields and events, an attacker who controls any part of these fields can inject newline characters to break out of the intended boundaries. This allows injection of arbitrary SSE events or fields to connected clients.'}, {'type': 'paragraph', 'content': 'This vulnerability enables attackers to inject fake events, manipulate client reconnection behavior, spoof event IDs, and potentially cause denial-of-service by forcing aggressive reconnections.'}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing attackers to inject arbitrary SSE events into your clients' event streams. This can lead to several harmful effects:"}, {'type': 'list_item', 'content': 'Injection of fake or malicious events that may trigger privileged client-side handlers.'}, {'type': 'list_item', 'content': 'Phishing attacks via fake system notifications sent as SSE events.'}, {'type': 'list_item', 'content': 'Manipulation of client reconnection behavior by injecting retry directives, potentially causing denial-of-service through rapid reconnections.'}, {'type': 'list_item', 'content': 'Overriding the Last-Event-ID to affect event replay on client reconnection.'}, {'type': 'paragraph', 'content': 'Overall, this can compromise the integrity of the data your clients receive, potentially leading to security breaches, user confusion, or service disruption.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves Server-Sent Events (SSE) injection through unsanitized newline characters in SSE message fields. Detection involves monitoring SSE traffic for suspicious or malformed SSE messages containing unexpected newline characters or injected SSE control fields such as additional 'id:', 'event:', 'data:', or 'retry:' lines."}, {'type': 'paragraph', 'content': 'You can detect potential exploitation by capturing SSE traffic and inspecting the event stream messages for newline characters within fields that should be single-line, or for unexpected SSE control sequences injected by an attacker.'}, {'type': 'list_item', 'content': "Use network traffic capture tools like tcpdump or Wireshark to capture HTTP responses with 'Content-Type: text/event-stream'."}, {'type': 'list_item', 'content': 'Filter captured traffic for SSE streams and inspect the payload for suspicious newline characters within SSE fields.'}, {'type': 'list_item', 'content': 'Example tcpdump command to capture SSE traffic on port 80 or 443 (adjust as needed):'}, {'type': 'list_item', 'content': "tcpdump -i any -s 0 -A 'tcp port 80 or tcp port 443' | grep --color=auto 'text/event-stream'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to manually request SSE endpoints and inspect the raw output for injected newlines or unexpected SSE fields.'}, {'type': 'list_item', 'content': 'Example curl command to connect to an SSE endpoint:'}, {'type': 'list_item', 'content': 'curl -N https://your-sse-endpoint'}, {'type': 'paragraph', 'content': "Since the vulnerability arises from unsanitized newline characters in SSE message fields, automated scanning tools or custom scripts can be developed to parse SSE streams and flag messages containing newline characters in 'id' or 'event' fields or suspicious multi-line comments."}] [2, 1]

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary mitigation is to upgrade the affected 'h3' package to a patched version where the vulnerability is fixed."}, {'type': 'list_item', 'content': 'Upgrade to version 1.15.6 or later if using the 1.x series.'}, {'type': 'list_item', 'content': 'Upgrade to version 2.0.1-rc.15 or later if using the 2.x release candidates.'}, {'type': 'paragraph', 'content': 'These versions include sanitization of newline characters in SSE message fields, preventing injection of arbitrary SSE events.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, consider implementing input validation or sanitization on any user-controlled data that is sent via SSE to ensure newline characters are removed or escaped before being sent.'}, {'type': 'paragraph', 'content': 'Additionally, monitor SSE traffic for suspicious injected events as a temporary detection measure.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart