Medium severity4.8NVD Advisory· Published Mar 26, 2026· Updated Apr 2, 2026

CVE-2026-33732

Description

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. file://). Starting in version 0.11.13, the FastURL constructor now deopts to native URL for any string not starting with /, ensuring consistent pathname resolution.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
srvxnpm	< 0.11.13	0.11.13

Patches

de0d69901c35

fix(url): deopt absolute URIs in FastURL

https://github.com/h3js/srvxPooya ParsaMar 23, 2026via ghsa

commit

2 files changed · +34 −1

src/_url.ts+5 −1 modified

@@ -43,7 +43,11 @@ export const FastURL: { new (url: string | URLInit): URL & { _url: URL } } =
 
       constructor(url: string | URLInit) {
         if (typeof url === "string") {
-          this.#href = url;
+          if (url[0] === "/") {
+            this.#href = url;
+          } else {
+            this.#url = new NativeURL(url);
+          }
         } else if (_needsNormRE.test(url.pathname)) {
           this.#url = new NativeURL(
             `${url.protocol || "http:"}//${url.host || "localhost"}${url.pathname}${url.search || ""}`,

test/url.test.ts+29 −0 modified

@@ -125,6 +125,35 @@ describe("FastURL", () => {
     }
   });
 
+  describe("absolute URI in request line", () => {
+    const cases = [
+      ["http://example.com/path", "/path"],
+      ["http://example.com/path?q=1", "/path"],
+      ["file://hehe?/internal/run", "/"],
+      ["file://hehe/abc", "/abc"],
+      ["http://evil.com?/secret", "/"],
+      ["https://host/a/b/c?x=1", "/a/b/c"],
+    ] as const;
+
+    for (const [input, expected] of cases) {
+      test(`"${input}" => pathname "${expected}"`, () => {
+        const url = new NodeRequestURL({
+          req: { url: input, headers: { host: "localhost" } } as any,
+        });
+        expect(url.pathname).toBe(expected);
+      });
+
+      test(`"${input}" => pathname "${expected}" (after deopt)`, () => {
+        const url = new NodeRequestURL({
+          req: { url: input, headers: { host: "localhost" } } as any,
+        });
+        // Access hostname to trigger _url deopt
+        void url.hostname;
+        expect(url.pathname).toBe(expected);
+      });
+    }
+  });
+
   describe("pathname normalization", () => {
     const cases = [
       // Literal dot segments

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baanvdPatchWEB
github.com/advisories/GHSA-p36q-q72m-gchrghsaADVISORY
github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchrnvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-33732ghsaADVISORY
github.com/h3js/srvx/releases/tag/v0.11.13nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000