CVE-2026-33128 in h3js
Summary
by MITRE • 03/20/2026
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33128 affects the H3 HTTP framework, specifically targeting versions prior to 1.15.6 and within the 2.0.0 through 2.0.1-rc.14 range. This security flaw resides in the Server-Sent Events implementation where the createEventStream function fails to properly sanitize newline characters in event message formatting functions. The issue stems from inadequate input validation in the formatEventStreamMessage() and formatEventStreamComment() functions, which are responsible for constructing Server-Sent Events that are sent from server to client. When these functions process event data without proper sanitization, they create a pathway for attackers to inject malicious Server-Sent Events that can be interpreted by connected clients as legitimate events. This vulnerability directly maps to CWE-115, which addresses improper handling of input data in contexts where data is processed for specific protocols or formats, and aligns with ATT&CK technique T1211 where adversaries leverage protocol manipulation to inject malicious data streams. The flaw represents a critical security gap in event stream processing where user-controllable input can be exploited to manipulate the event flow, potentially leading to unauthorized data exposure or client-side code execution.
The technical exploitation of this vulnerability occurs when an attacker can influence any component of an SSE message field including the id, event type, data, or comment fields. Through careful manipulation of these fields, an attacker can inject additional SSE events that will be processed by client applications, effectively bypassing normal event boundaries. The missing newline sanitization allows for the injection of additional event records that can contain malicious payloads or commands, enabling attackers to perform actions such as data exfiltration, client-side script injection, or disruption of legitimate event streams. The impact extends beyond simple data manipulation as it can lead to complete compromise of client applications that rely on these event streams for real-time updates and communication. This vulnerability is particularly dangerous in web applications that use Server-Sent Events for features like live notifications, real-time data updates, or interactive user experiences where the event stream serves as a critical communication channel between server and client components.
The operational impact of CVE-2026-33128 is significant for organizations using affected versions of the H3 framework, as it creates a persistent threat vector that can be exploited across all connected clients. Attackers can leverage this vulnerability to inject malicious events that may appear legitimate to client applications, making detection difficult and potentially allowing for extended periods of unauthorized access or data manipulation. The vulnerability affects not just individual client sessions but can potentially impact entire user bases connected to affected systems, especially in applications where SSE is used for critical real-time communications. Organizations may experience data breaches, service disruptions, or unauthorized access to sensitive information streams. The fix implemented in versions 1.15.6 and 2.0.1-rc.15 addresses this by implementing proper newline sanitization in the event formatting functions, ensuring that any user-controllable input is properly escaped or filtered before being included in the final event stream output. This remediation approach follows security best practices for preventing injection vulnerabilities and aligns with industry standards for input validation and sanitization.
Mitigation strategies for CVE-2026-33128 should prioritize immediate upgrading to patched versions 1.15.6 or 2.0.1-rc.15, as this represents the most effective defense against exploitation. Organizations should conduct thorough inventory assessments to identify all systems running affected versions of the H3 framework and implement a comprehensive upgrade schedule. Additionally, implementing network monitoring solutions that can detect anomalous Server-Sent Events patterns may provide early warning of potential exploitation attempts. Security teams should also consider implementing input validation at multiple layers, including application-level filtering and network-based content inspection to provide defense-in-depth. The vulnerability serves as a reminder of the importance of proper input sanitization in protocol-specific contexts and highlights the need for regular security assessments of framework components. Organizations should also review their event stream implementations to ensure that similar sanitization issues do not exist in other parts of their applications, particularly in any custom SSE processing code or third-party libraries that handle event stream data. Regular security patching and vulnerability scanning processes should include specific checks for this type of injection vulnerability in HTTP frameworks and related components.