CVE-2026-33128 is a vulnerability classified under CWE-93 (Improper Neutralization of CRLF Sequences) affecting the h3js minimal HTTP framework, specifically in the createEventStream function used for Server-Sent Events (SSE). The issue exists in versions prior to 1.15.6 and between 2.0.0 and 2.0.1-rc.14, where the functions formatEventStreamMessage() and formatEventStreamComment() fail to sanitize newline characters properly. SSE is a web technology that allows servers to push real-time updates to clients over HTTP. The vulnerability allows an attacker who can control any part of an SSE message field—such as id, event, data, or comment—to inject arbitrary SSE events. This injection can manipulate the event stream received by clients, potentially causing them to execute unintended actions or process malicious data. The flaw arises because the framework does not neutralize CRLF sequences, which are used to delimit SSE messages, enabling injection of crafted events. The vulnerability has a CVSS 3.1 score of 7.5, indicating high severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and a scope change due to impact on connected clients. The integrity of the SSE stream is compromised, but confidentiality and availability impacts are limited. The issue is fixed in h3js versions 1.15.6 and 2.0.1-rc.15. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the compromise of the integrity of Server-Sent Events streams delivered by vulnerable h3js servers. Attackers able to inject arbitrary SSE events can manipulate client-side event handling, potentially causing clients to execute malicious scripts or process falsified data. This could lead to unauthorized actions within client applications relying on SSE for real-time updates, such as injecting misleading information, triggering unintended behaviors, or bypassing client-side logic. While confidentiality and availability impacts are minimal, the integrity breach can undermine trust in real-time data streams and disrupt application workflows. Organizations using h3js in environments where SSE is critical—such as live dashboards, notifications, or real-time monitoring—face risks of data manipulation and client-side exploitation. The attack requires network access to the vulnerable server but no authentication or user interaction, increasing the risk in exposed deployments. Although no exploits are currently known in the wild, the high severity and ease of exploitation warrant prompt remediation to prevent potential attacks.

To mitigate this vulnerability, organizations should upgrade all affected h3js instances to version 1.15.6 or later, or 2.0.1-rc.15 or later, where the issue is fixed. If immediate upgrading is not feasible, implement input validation and sanitization on all SSE message fields (id, event, data, comment) to neutralize CRLF sequences before they reach the createEventStream functions. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SSE payloads containing CRLF injection patterns. Restrict network access to SSE endpoints to trusted clients and internal networks to reduce exposure. Monitor SSE traffic for anomalies that could indicate injection attempts. Additionally, review client-side SSE event handlers for robustness against malformed or unexpected events to minimize impact if injection occurs. Maintain up-to-date inventory of h3js versions in use and apply security patches promptly. Finally, conduct security testing focused on SSE injection vectors during development and deployment cycles.