CVE-2026-33732
srvx is vulnerable to middleware bypass via absolute URI in request line
CVSS Score
4.8
EPSS Score
0.0%
EPSS Percentile
8th
srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.
| CWE | CWE-706 |
| Vendor | h3js |
| Product | srvx |
| Published | Mar 26, 2026 |
| Last Updated | Mar 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for h3js srvx
Be the first to know when new medium vulnerabilities affecting h3js srvx are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
h3js / srvx
< 0.11.13