CVE-2026-33732

Name of the Vulnerable Software and Affected Versions srvx versions prior to 0.11.13

Description srvx is a universal server based on web standards. A discrepancy in pathname parsing within srvx's FastURL component allows bypassing middleware on the Node.js adapter. This occurs when a raw HTTP request utilizes an absolute URI with a non-standard scheme, such as file://. Specifically, the issue arises because the FastURL constructor previously did not consistently resolve paths, leading to discrepancies between the paths seen by different middleware components. The vulnerability allows bypassing route-based middleware, including authentication guards and rate limiters. The issue is triggered when a request is sent with an absolute URI, and the req.url is set verbatim. The FastURL#getPos() function fails to correctly locate the pathname in such cases, leading to inconsistent path resolution.

Recommendations Update srvx to version 0.11.13 or later.