CVE-2026-33129
Timing Side-Channel in H3 requireBasicAuth Enables Password Bypass
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| h3 | h3 | 2.0.0 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
| h3 | h3 | 2.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to recover valid passwords by exploiting timing differences in the authentication process. By deducing the password character-by-character, the attacker can bypass password complexity protections and gain unauthorized access.
The attack is feasible especially in low-latency environments such as local networks or cloud setups where the attacker is co-located with the target server.
The impact is primarily on confidentiality, as unauthorized access to systems or data can occur without affecting integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33129 is a timing side-channel vulnerability in the requireBasicAuth function of the h3js/h3 framework versions 2.0.1-beta.0 through 2.0.0-rc.8. The vulnerability arises because the function uses an unsafe string comparison operator (!==) that performs a byte-by-byte comparison and returns immediately upon the first mismatch. This behavior causes the server's response time to vary depending on how many initial characters of the password are correct."}, {'type': 'paragraph', 'content': 'An attacker can exploit this timing difference by sending multiple authentication requests with different password guesses and measuring the response times. By statistically analyzing these timings, the attacker can deduce the valid password one character at a time, effectively bypassing password complexity protections.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 2.0.1-rc.9 by implementing a constant-time string comparison function and adding random jitter delays to authentication failure responses to prevent timing analysis.'}] [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by observing timing discrepancies in the server's response times during basic authentication attempts. An attacker or tester can send multiple authentication requests with different password guesses and measure the time-to-first-byte or overall response time to identify if the server leaks information about password correctness character-by-character."}, {'type': 'paragraph', 'content': 'To detect this on your system, you can use network analysis tools or scripting to send repeated authentication requests and measure response times. For example, using curl in a loop with different passwords and measuring response times, or using tools like Wireshark or tcpdump to capture and analyze timing patterns.'}, {'type': 'list_item', 'content': 'Use curl with timing output to measure response times for different password guesses: `curl -w "%{time_starttransfer}\\n" -o /dev/null -s -u user:password_guess http://target`'}, {'type': 'list_item', 'content': 'Use a scripting language (e.g., Python) to automate multiple requests with varying passwords and statistically analyze response times.'}, {'type': 'list_item', 'content': 'Capture network traffic with Wireshark or tcpdump and analyze timing differences between authentication attempts.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the h3 package to version 2.0.1-rc.9 or later, where the vulnerability is fixed by implementing constant-time string comparison and adding random jitter delays to authentication failure responses.
If upgrading immediately is not possible, consider implementing additional network-level protections such as rate limiting authentication attempts and monitoring for suspicious timing-based attack patterns.
The fix includes replacing unsafe string comparisons with a timing-safe comparison function and introducing randomized delays to prevent attackers from inferring password characters through timing analysis.