H3 Server-Sent Events Injection Vulnerability

A Server-Sent Events (SSE) injection vulnerability has been identified in the H3 framework, specifically in versions prior to 1.15.6 and between 2.0.0 and 2.0.1-rc.14. The issue arises in the 'createEventStream' function, where missing newline sanitization in 'formatEventStreamMessage' and 'formatEventStreamComment' allows an attacker to inject arbitrary SSE events to connected clients. This vulnerability can be exploited by manipulating any part of an SSE message field (id, event, data, or comment).

Impact

Exploitation of this vulnerability allows for arbitrary injection of SSE events, which can be processed by clients as legitimate. This could lead to cross-user content injection in chat applications, phishing through fake system notifications, event spoofing for privileged event types, and manipulation of reconnection behaviors.

Reproduction

The vulnerability can be reproduced by sending SSE messages that include unescaped newline characters in the event, data, or comment fields. This can be done using a tool like curl to send crafted messages to a server that uses the H3 framework and has the vulnerability present.

Remediation

Users can upgrade to H3 versions 1.15.6 or 2.0.1-rc.15 or later, where this vulnerability has been patched.