GHSA-4hxc-9384-m385: h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
Summary
The h3 library's EventStream class fails to remove carriage return characters (`\r`, a line break in the Server-Sent Events protocol) from `data` and `comment` fields, allowing attackers to inject fake events or split a single message into multiple events that browsers parse separately. This bypasses a previous fix that only removed newline characters (`\n`).
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://github.com/advisories/GHSA-4hxc-9384-m385
First tracked: March 20, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%