CVE-2026-33732

Summary

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. file://). Starting in version 0.11.13, the FastURL constructor now deopts to native URL for any string not starting with /, ensuring consistent pathname resolution.

Affected Software

VendorProductVersion RangeStatus
h3jssrvx< 0.11.13affected

Weaknesses

  • CWE-706: CWE-706: Use of Incorrectly-Resolved Name or Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References