H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| H3 | H3 | * | 1.15.6 (excluding) |
| H3 | H3 | 2.0.0 (including) | 2.0.0 (including) |
| H3 | H3 | 2.0.1-rc10 (including) | 2.0.1-rc10 (including) |
| H3 | H3 | 2.0.1-rc11 (including) | 2.0.1-rc11 (including) |
| H3 | H3 | 2.0.1-rc12 (including) | 2.0.1-rc12 (including) |
| H3 | H3 | 2.0.1-rc13 (including) | 2.0.1-rc13 (including) |
| H3 | H3 | 2.0.1-rc14 (including) | 2.0.1-rc14 (including) |
| H3 | H3 | 2.0.1-rc2 (including) | 2.0.1-rc2 (including) |
| H3 | H3 | 2.0.1-rc3 (including) | 2.0.1-rc3 (including) |
| H3 | H3 | 2.0.1-rc4 (including) | 2.0.1-rc4 (including) |
| H3 | H3 | 2.0.1-rc5 (including) | 2.0.1-rc5 (including) |
| H3 | H3 | 2.0.1-rc6 (including) | 2.0.1-rc6 (including) |
| H3 | H3 | 2.0.1-rc7 (including) | 2.0.1-rc7 (including) |
| H3 | H3 | 2.0.1-rc8 (including) | 2.0.1-rc8 (including) |
| H3 | H3 | 2.0.1-rc9 (including) | 2.0.1-rc9 (including) |