{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33732", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.560Z", "datePublished": "2026-03-26T17:21:15.709Z", "dateUpdated": "2026-03-27T14:41:11.864Z"}, "containers": {"cna": {"title": "srvx is vulnerable to middleware bypass via absolute URI in request line", "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr"}, {"name": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa"}, {"name": "https://github.com/h3js/srvx/releases/tag/v0.11.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/srvx/releases/tag/v0.11.13"}], "affected": [{"vendor": "h3js", "product": "srvx", "versions": [{"version": "< 0.11.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:21:15.709Z"}, "descriptions": [{"lang": "en", "value": "srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution."}], "source": {"advisory": "GHSA-p36q-q72m-gchr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:41:02.997076Z", "id": "CVE-2026-33732", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:41:11.864Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:41:02.997076Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:41:07.245Z"}}], "cna": {"title": "srvx is vulnerable to middleware bypass via absolute URI in request line", "source": {"advisory": "GHSA-p36q-q72m-gchr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "h3js", "product": "srvx", "versions": [{"status": "affected", "version": "< 0.11.13"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr", "name": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa", "name": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/h3js/srvx/releases/tag/v0.11.13", "name": "https://github.com/h3js/srvx/releases/tag/v0.11.13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:21:15.709Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33732", "state": "PUBLISHED", "dateUpdated": "2026-03-27T14:41:11.864Z", "dateReserved": "2026-03-23T17:34:57.560Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:21:15.709Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h3:srvx:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B8FAD178-5888-4A2F-B296-86871B71B721", "versionEndExcluding": "0.11.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution."}, {"lang": "es", "value": "srvx es un servidor universal basado en est\u00e1ndares web. Antes de la versi\u00f3n 0.11.13, una discrepancia en el an\u00e1lisis de rutas en el 'FastURL' de srvx permite la omisi\u00f3n de middleware en el adaptador de Node.js cuando una solicitud HTTP sin procesar utiliza una URI absoluta con un esquema no est\u00e1ndar (por ejemplo, 'file://'). A partir de la versi\u00f3n 0.11.13, el constructor 'FastURL' ahora recurre a la 'URL' nativa para cualquier cadena que no comience con '/', asegurando una resoluci\u00f3n de rutas consistente."}], "id": "CVE-2026-33732", "lastModified": "2026-04-02T18:41:11.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T18:16:31.430", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/h3js/srvx/releases/tag/v0.11.13"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.11.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "srvx", "source": "cna", "vendor": "h3js"}, "product": "srvx", "vendor": "h3js"}], "analysis": {"en": {"generated_at": "2026-04-02T22:16:06.165586+00:00", "value": {"mitigation_remediation": ["Upgrade srvx to version 0.11.13 or later."], "summary": {"action": "Patch Now", "impact": "Middleware bypass leading to unauthorized request routing"}, "threat_synthesis": {"affected_systems": "The issue affects the h3js srvx product, specifically all releases prior to version 0.11.13. Users running the Node.js adapter of srvx before this patch are vulnerable.", "description_and_impact": "srvx, a universal server built on web standards, had a pathname parsing discrepancy in its FastURL routine that allowed an attacker to bypass middleware by sending a raw HTTP request containing an absolute URI with a non\u2011standard scheme such as file://. This defect meant that requests could be routed without passing through the intended middleware stack, potentially exposing endpoints or actions that should have been protected. The vulnerability does not provide direct code execution, but it grants the attacker the ability to send requests to any path handled by the Node.js adapter, effectively subverting the expected request handling flow.", "risk_and_exploitability": "The CVSS score of 4.8 corresponds to a medium impact, and the EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to be able to send a crafted HTTP request to the srvx server, inserting an absolute URI with a non\u2011standard scheme; this is typically achievable via network access to the server. There are no publicly known exploit scripts, but the path bypass could be leveraged for privilege escalation against the application if additional sensitive logic is exposed."}}}}, "created": "2026-03-27T08:33:30.209407+00:00", "updated": "2026-04-03T09:38:57.187562+00:00", "vendors": ["h3js", "h3js$PRODUCT$srvx"]}