CVE-2026-33732
Received Received - Intake
Pathname Parsing Bypass in srvx FastURL Causes Middleware Bypass

Publication date: 2026-03-26

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33732
EUVD
EUVD-2026-16291
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
h3 srvx to 0.11.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in srvx prior to version 0.11.13 involves a pathname parsing discrepancy in its FastURL component on the Node.js adapter. When a raw HTTP request uses an absolute URI with a non-standard scheme (such as file://), the pathname is parsed inconsistently. FastURL's manual parsing extracts the pathname incorrectly when a question mark appears before the first slash after the authority, leading to different pathname values seen by middleware.

This inconsistency allows middleware bypass because route-based middleware like authentication guards or rate limiters rely on consistent pathname matching. The vulnerability is triggered by sending a raw HTTP request with an absolute URI containing a non-standard scheme, which is not possible from standard browsers.

The fix in version 0.11.13 forces the FastURL constructor to use the native URL parser for any string not starting with a slash, ensuring consistent and correct pathname resolution.

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass middleware that relies on pathname matching, such as authentication guards or rate limiters. Because the pathname parsing is inconsistent, some middleware may see a different pathname than others, enabling unauthorized access or evasion of security controls.

Exploitation requires sending specially crafted raw HTTP requests with absolute URIs using non-standard schemes, which is complex and has high attack complexity.

The overall impact is moderate, with low confidentiality and integrity impacts, and no availability impact.

Detection Guidance

This vulnerability can be detected by monitoring for raw HTTP requests that use absolute URIs with non-standard schemes such as "file://" in the request line. Such requests are unusual and may indicate attempts to exploit the pathname parsing discrepancy in srvx's FastURL component.

To detect these requests on your system or network, you can use packet capture tools like tcpdump or Wireshark to filter HTTP requests containing absolute URIs with non-standard schemes.

  • Use tcpdump to capture HTTP requests with "file://" URIs: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'file://'
  • Use grep or similar tools on server logs to search for request lines containing absolute URIs starting with non-standard schemes, e.g., grep 'file://' access.log

Because exploitation requires sending raw HTTP requests with absolute URIs containing non-standard schemes, which standard browsers do not send, detection focuses on identifying such unusual request patterns.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade srvx to version 0.11.13 or later, where the FastURL constructor has been fixed to properly handle absolute URIs by deoptimizing to the native URL parser for any string not starting with a slash.

This fix ensures consistent and correct pathname resolution across all middleware, preventing middleware bypass caused by pathname parsing discrepancies.

If upgrading immediately is not possible, consider implementing network-level filtering to block raw HTTP requests containing absolute URIs with non-standard schemes such as "file://" to reduce the risk of exploitation.

Compliance Impact

The vulnerability in srvx prior to version 0.11.13 causes inconsistent pathname resolution in middleware due to a pathname parsing discrepancy when handling absolute URIs with non-standard schemes. This inconsistency can lead to bypassing route-based middleware such as authentication guards or rate limiters.

Such bypasses could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data, because unauthorized access might be gained by circumventing middleware protections.

However, exploitation requires sending raw HTTP requests with absolute URIs using non-standard schemes, which is not possible from standard browsers, and the vulnerability has a moderate severity with low confidentiality and integrity impact.

The fix in version 0.11.13 ensures consistent pathname resolution, preventing middleware bypass and helping maintain compliance with security requirements in regulated environments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart