CVE-2026-33732

MEDIUM

srvx is vulnerable to middleware bypass via absolute URI in request line

Title source: cna

Description

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.

References (3)

Scores

CVSS v3 4.8
EPSS 0.0004
EPSS Percentile 10.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-706
Status published
Products (2)
h3js/srvx < 0.11.13
npm/srvx 0 - 0.11.13npm
Published Mar 26, 2026
Tracked Since Mar 26, 2026