CVE-2026-33732
Pathname Parsing Bypass in srvx FastURL Causes Middleware Bypass
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| h3 | srvx | to 0.11.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in srvx prior to version 0.11.13 involves a pathname parsing discrepancy in its FastURL component on the Node.js adapter. When a raw HTTP request uses an absolute URI with a non-standard scheme (such as file://), the pathname is parsed inconsistently. FastURL's manual parsing extracts the pathname incorrectly when a question mark appears before the first slash after the authority, leading to different pathname values seen by middleware.
This inconsistency allows middleware bypass because route-based middleware like authentication guards or rate limiters rely on consistent pathname matching. The vulnerability is triggered by sending a raw HTTP request with an absolute URI containing a non-standard scheme, which is not possible from standard browsers.
The fix in version 0.11.13 forces the FastURL constructor to use the native URL parser for any string not starting with a slash, ensuring consistent and correct pathname resolution.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to bypass middleware that relies on pathname matching, such as authentication guards or rate limiters. Because the pathname parsing is inconsistent, some middleware may see a different pathname than others, enabling unauthorized access or evasion of security controls.
Exploitation requires sending specially crafted raw HTTP requests with absolute URIs using non-standard schemes, which is complex and has high attack complexity.
The overall impact is moderate, with low confidentiality and integrity impacts, and no availability impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for raw HTTP requests that use absolute URIs with non-standard schemes such as "file://" in the request line. Such requests are unusual and may indicate attempts to exploit the pathname parsing discrepancy in srvx's FastURL component.
To detect these requests on your system or network, you can use packet capture tools like tcpdump or Wireshark to filter HTTP requests containing absolute URIs with non-standard schemes.
- Use tcpdump to capture HTTP requests with "file://" URIs: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'file://'
- Use grep or similar tools on server logs to search for request lines containing absolute URIs starting with non-standard schemes, e.g., grep 'file://' access.log
Because exploitation requires sending raw HTTP requests with absolute URIs containing non-standard schemes, which standard browsers do not send, detection focuses on identifying such unusual request patterns.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade srvx to version 0.11.13 or later, where the FastURL constructor has been fixed to properly handle absolute URIs by deoptimizing to the native URL parser for any string not starting with a slash.
This fix ensures consistent and correct pathname resolution across all middleware, preventing middleware bypass caused by pathname parsing discrepancies.
If upgrading immediately is not possible, consider implementing network-level filtering to block raw HTTP requests containing absolute URIs with non-standard schemes such as "file://" to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in srvx prior to version 0.11.13 causes inconsistent pathname resolution in middleware due to a pathname parsing discrepancy when handling absolute URIs with non-standard schemes. This inconsistency can lead to bypassing route-based middleware such as authentication guards or rate limiters.
Such bypasses could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data, because unauthorized access might be gained by circumventing middleware protections.
However, exploitation requires sending raw HTTP requests with absolute URIs using non-standard schemes, which is not possible from standard browsers, and the vulnerability has a moderate severity with low confidentiality and integrity impact.
The fix in version 0.11.13 ensures consistent pathname resolution, preventing middleware bypass and helping maintain compliance with security requirements in regulated environments.