GHSA-4hxc-9384-m385: h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)

March 20, 2026

The EventStream class in h3 fails to sanitize carriage return (\r) characters in data and comment fields. Per the SSE specification, \r is a valid line terminator, so browsers interpret injected \r as line breaks. This allows an attacker to inject arbitrary SSE events, spoof event types, and split a single push() call into multiple distinct browser-parsed events. This is an incomplete fix bypass of commit 7791538 which addressed \n injection but missed \r-only injection.

References

github.com/advisories/GHSA-4hxc-9384-m385
github.com/h3js/h3
github.com/h3js/h3/security/advisories/GHSA-4hxc-9384-m385

Code Behaviors & Features

Detect and mitigate GHSA-4hxc-9384-m385 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →