Hibwyli

**Name of the Vulnerable Software and Affected Versions** srvx versions prior to 0.11.13 **Description** srvx is a universal server based on web standards. A discrepancy in pathname parsing within srvx's `FastURL` component allows bypassing middleware on the Node.js adapter. This occurs when a raw HTTP request utilizes an absolute URI with a non-standard scheme, such as `file://`. Specifically, the issue arises because the `FastURL` constructor previously did not consistently resolve paths, leading to discrepancies between the paths seen by different middleware components. The vulnerability allows bypassing route-based middleware, including authentication guards and rate limiters. The issue is triggered when a request is sent with an absolute URI, and the `req.url` is set verbatim. The `FastURL#getPos()` function fails to correctly locate the pathname in such cases, leading to inconsistent path resolution. **Recommendations** Update srvx to version 0.11.13 or later.

**Name of the Vulnerable Software and Affected Versions** H3 versions 2.0.0-0 through 2.0.1-rc.14 **Description** H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing issue in the NodeRequestUrl (which extends FastURL) that allows bypassing middleware. When `event.url`, `event.url.hostname`, or `event.url. url` is accessed, such as in logging middleware, the ` url` getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3’s router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3 (including Nitro/Nuxt) that accesses `event.url` properties in middleware guarding sensitive routes. The issue arises because the `FastURL.href` is constructed with unsanitized, attacker-controlled input. The ` url()` function within the `FastURL` class is triggered when accessing properties like `event.url`, leading to the construction of a URL using the potentially manipulated Host header. This allows an attacker to overwrite the `event.url` and bypass middleware checks. **Recommendations** Update to H3 version 2.0.1-rc.15 or later.