CVE-2026-33128
SSE Injection in H3 Framework's createEventStream Function
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| h3 | h3 | 2.0.0 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | to 1.15.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33128 is a Server-Sent Events (SSE) injection vulnerability in the h3 framework's createEventStream function. It occurs because the functions formatEventStreamMessage() and formatEventStreamComment() do not sanitize newline characters in SSE message fields such as id, event, data, or comment."}, {'type': 'paragraph', 'content': 'Since the SSE protocol uses newlines to separate fields and events, an attacker who controls any part of these fields can inject newline characters to break out of the intended boundaries. This allows injection of arbitrary SSE events or fields to connected clients.'}, {'type': 'paragraph', 'content': 'This vulnerability enables attackers to inject fake events, manipulate client reconnection behavior, spoof event IDs, and potentially cause denial-of-service by forcing aggressive reconnections.'}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing attackers to inject arbitrary SSE events into your clients' event streams. This can lead to several harmful effects:"}, {'type': 'list_item', 'content': 'Injection of fake or malicious events that may trigger privileged client-side handlers.'}, {'type': 'list_item', 'content': 'Phishing attacks via fake system notifications sent as SSE events.'}, {'type': 'list_item', 'content': 'Manipulation of client reconnection behavior by injecting retry directives, potentially causing denial-of-service through rapid reconnections.'}, {'type': 'list_item', 'content': 'Overriding the Last-Event-ID to affect event replay on client reconnection.'}, {'type': 'paragraph', 'content': 'Overall, this can compromise the integrity of the data your clients receive, potentially leading to security breaches, user confusion, or service disruption.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves Server-Sent Events (SSE) injection through unsanitized newline characters in SSE message fields. Detection involves monitoring SSE traffic for suspicious or malformed SSE messages containing unexpected newline characters or injected SSE control fields such as additional 'id:', 'event:', 'data:', or 'retry:' lines."}, {'type': 'paragraph', 'content': 'You can detect potential exploitation by capturing SSE traffic and inspecting the event stream messages for newline characters within fields that should be single-line, or for unexpected SSE control sequences injected by an attacker.'}, {'type': 'list_item', 'content': "Use network traffic capture tools like tcpdump or Wireshark to capture HTTP responses with 'Content-Type: text/event-stream'."}, {'type': 'list_item', 'content': 'Filter captured traffic for SSE streams and inspect the payload for suspicious newline characters within SSE fields.'}, {'type': 'list_item', 'content': 'Example tcpdump command to capture SSE traffic on port 80 or 443 (adjust as needed):'}, {'type': 'list_item', 'content': "tcpdump -i any -s 0 -A 'tcp port 80 or tcp port 443' | grep --color=auto 'text/event-stream'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to manually request SSE endpoints and inspect the raw output for injected newlines or unexpected SSE fields.'}, {'type': 'list_item', 'content': 'Example curl command to connect to an SSE endpoint:'}, {'type': 'list_item', 'content': 'curl -N https://your-sse-endpoint'}, {'type': 'paragraph', 'content': "Since the vulnerability arises from unsanitized newline characters in SSE message fields, automated scanning tools or custom scripts can be developed to parse SSE streams and flag messages containing newline characters in 'id' or 'event' fields or suspicious multi-line comments."}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation is to upgrade the affected 'h3' package to a patched version where the vulnerability is fixed."}, {'type': 'list_item', 'content': 'Upgrade to version 1.15.6 or later if using the 1.x series.'}, {'type': 'list_item', 'content': 'Upgrade to version 2.0.1-rc.15 or later if using the 2.x release candidates.'}, {'type': 'paragraph', 'content': 'These versions include sanitization of newline characters in SSE message fields, preventing injection of arbitrary SSE events.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, consider implementing input validation or sanitization on any user-controlled data that is sent via SSE to ensure newline characters are removed or escaped before being sent.'}, {'type': 'paragraph', 'content': 'Additionally, monitor SSE traffic for suspicious injected events as a temporary detection measure.'}] [2, 3]