CVE-2026-33732 (GCVE-0-2026-33732)

Vulnerability from cvelistv5 – Published: 2026-03-26 17:21 – Updated: 2026-03-27 14:41
VLAI?
Title
srvx is vulnerable to middleware bypass via absolute URI in request line
Summary
srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.
Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
Impacted products
Vendor Product Version
h3js srvx Affected: < 0.11.13
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33732",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:41:02.997076Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T14:41:11.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "srvx",
          "vendor": "h3js",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.11.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx\u0027s `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-706",
              "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T17:21:15.709Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr"
        },
        {
          "name": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa"
        },
        {
          "name": "https://github.com/h3js/srvx/releases/tag/v0.11.13",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/h3js/srvx/releases/tag/v0.11.13"
        }
      ],
      "source": {
        "advisory": "GHSA-p36q-q72m-gchr",
        "discovery": "UNKNOWN"
      },
      "title": "srvx is vulnerable to middleware bypass via absolute URI in request line"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33732",
    "datePublished": "2026-03-26T17:21:15.709Z",
    "dateReserved": "2026-03-23T17:34:57.560Z",
    "dateUpdated": "2026-03-27T14:41:11.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33732\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T18:16:31.430\",\"lastModified\":\"2026-03-30T13:26:50.827\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx\u0027s `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.\"},{\"lang\":\"es\",\"value\":\"srvx es un servidor universal basado en est\u00e1ndares web. Antes de la versi\u00f3n 0.11.13, una discrepancia en el an\u00e1lisis de rutas en el \u0027FastURL\u0027 de srvx permite la omisi\u00f3n de middleware en el adaptador de Node.js cuando una solicitud HTTP sin procesar utiliza una URI absoluta con un esquema no est\u00e1ndar (por ejemplo, \u0027file://\u0027). A partir de la versi\u00f3n 0.11.13, el constructor \u0027FastURL\u0027 ahora recurre a la \u0027URL\u0027 nativa para cualquier cadena que no comience con \u0027/\u0027, asegurando una resoluci\u00f3n de rutas consistente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-706\"}]}],\"references\":[{\"url\":\"https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/h3js/srvx/releases/tag/v0.11.13\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33732\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T14:41:02.997076Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T14:41:07.245Z\"}}], \"cna\": {\"title\": \"srvx is vulnerable to middleware bypass via absolute URI in request line\", \"source\": {\"advisory\": \"GHSA-p36q-q72m-gchr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"h3js\", \"product\": \"srvx\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.11.13\"}]}], \"references\": [{\"url\": \"https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr\", \"name\": \"https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa\", \"name\": \"https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/h3js/srvx/releases/tag/v0.11.13\", \"name\": \"https://github.com/h3js/srvx/releases/tag/v0.11.13\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx\u0027s `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-706\", \"description\": \"CWE-706: Use of Incorrectly-Resolved Name or Reference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T17:21:15.709Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33732\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T14:41:11.864Z\", \"dateReserved\": \"2026-03-23T17:34:57.560Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T17:21:15.709Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.