CVE-2026-33732 - Vulnerability Details

- srvx is vulnerable to middleware bypass via absolute URI in request line

Description

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.

Published: 2026-03-26

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

srvx, a universal server built on web standards, had a pathname parsing discrepancy in its FastURL routine that allowed an attacker to bypass middleware by sending a raw HTTP request containing an absolute URI with a non‑standard scheme such as file://. This defect meant that requests could be routed without passing through the intended middleware stack, potentially exposing endpoints or actions that should have been protected. The vulnerability does not provide direct code execution, but it grants the attacker the ability to send requests to any path handled by the Node.js adapter, effectively subverting the expected request handling flow.

Affected Systems

The issue affects the h3js srvx product, specifically all releases prior to version 0.11.13. Users running the Node.js adapter of srvx before this patch are vulnerable.

Risk and Exploitability

The CVSS score of 4.8 corresponds to a medium impact, and the EPSS score is below 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to be able to send a crafted HTTP request to the srvx server, inserting an absolute URI with a non‑standard scheme; this is typically achievable via network access to the server. There are no publicly known exploit scripts, but the path bypass could be leveraged for privilege escalation against the application if additional sensitive logic is exposed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

h3js

srvx

affected

Version	Status	Constraints
`< 0.11.13`	affected	—

Configuration 1 [-]

cpe:2.3:a:h3:srvx:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

H3js

Srvx

100%

Version	Status	Scheme	Platform
`[0,0.11.13)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade srvx to version 0.11.13 or later.

Generated by OpenCVE AI on April 2, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-p36q-q72m-gchr	srvx is vulnerable to middleware bypass via absolute URI in request line

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr
https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa
https://github.com/h3js/srvx/releases/tag/v0.11.13

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		H3 H3 srvx
CPEs		cpe:2.3:a:h3:srvx::::::node.js::*
Vendors & Products		H3 H3 srvx

Fri, 27 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		H3js H3js srvx
Vendors & Products		H3js H3js srvx

Thu, 26 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.
Title		srvx is vulnerable to middleware bypass via absolute URI in request line
Weaknesses		CWE-706
References		https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa https://github.com/h3js/srvx/releases/tag/v0.11.13
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

H3 Srvx

H3js Srvx

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-26T17:21:15.709Z

Updated: 2026-03-27T14:41:11.864Z

Reserved: 2026-03-23T17:34:57.560Z

Link: CVE-2026-33732

Vulnrichment

Updated: 2026-03-27T14:41:07.245Z

NVD

Status : Analyzed

Published: 2026-03-26T18:16:31.430

Modified: 2026-04-02T18:41:11.220

Link: CVE-2026-33732

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:38:57Z

Weaknesses

CWE-706

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object