@abysslabs/cli (=0.0.2), @analogjs/vite-plugin-nitro (>=2.4.0-alpha.2 <=3.0.0-alpha.1) +26 more potentially affected by CVE-2026-33490 via h3 (>=2.0.1-rc.11 <=2.0.1-rc.16)

h3 NPM version =2.0.1-rc.11, =2.4.0-alpha.2, =3.23.1-20260131-121433-34f631e, =0.15.0, =1.154.7, =0.0.1, =1.154.7, =1.154.7, =1.154.7, =2.0.0-beta.17 and more Source cves: CVE-2026-33490 Source advisory: OSV:GHSA-2J6Q-WHV2-GH6W...

Timing Attack

Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Timing Attack via the requireBasicAuth function. An attacker can recover valid authentication credentials by measuring response times and deducin...

HTTP Request Smuggling

Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to HTTP Request Smuggling via improper parsing of the Transfer-Encoding header in the readRawBody function. An attacker can bypass security controls...

Regular Expression Denial of Service

Overview three before version 0.125.0 is vulnerable to Regular Expression Denial of Service ReDoS. This can happen when handling rgb or hsl colors. POC var three = require'three' function buildblank n var ret = "rgb" for var i = 0; i n; i++ ret += " " return ret + ""; var Color = three.Color var...