CVE-2026-33732 MEDIUM

CVE-2026-33732: srvx is vulnerable to middleware bypass via absolute URI in request line

Vendor H3Js
Product srvx
Weakness CWE-706
Published March 26, 2026
Last update March 27, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated

Related vulnerabilities

04Related CVE