CVE-2026-33732
srvx is vulnerable to middleware bypass via absolute URI in request line
Description
## Summary A pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). ## Details When Node.js receives an absolute URI in the request line (e.g. `GET file://hehe?/internal/run HTTP/1.1`), `req.url` is set verbatim to `file://hehe?/internal/run`. Since this doesn't start with `/`, `NodeRequestURL` passes it directly to `FastURL` as a string, which stores it in `#href` for lazy manual parsing. `FastURL#getPos()` locates the pathname by finding `://` then scanning for the next `/` — but this fails for URLs like `file://hehe?/internal/run` where a `?` appears before the first `/` after the authority. The manual parser extracts pathname as `/internal/run`, while native `URL` correctly parses it as pathname `/` with search `?/internal/run`. This discrepancy means the router (using the fast-path) matches `/internal/run`, but if any middleware triggers a deopt to native `URL` (e.g. by accessing `hostname`), subsequent middleware sees a different pathname — bypassing route-based middleware guards. This is a bypass of [CVE-2026-33131](https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5). ## Impact Route-based middleware (auth guards, rate limiters, etc.) can be bypassed on the Node.js adapter when a prior middleware triggers `FastURL` deopt. Requires sending a raw HTTP request (not possible from browsers). ## Fix srvx `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.
How to fix CVE-2026-33732
To remediate CVE-2026-33732, upgrade the affected package to a fixed version below.
- —upgrade to 0.11.13 or later
Is CVE-2026-33732 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.11.13