@aero-js/config (>=0.3.3 <=0.3.5), @aero-js/core (>=0.3.3 <=0.3.5) +58 more potentially affected by CVE-2026-33131 +1 more via srvx (>=0.10.1 <=0.11.12)

srvx NPM version =0.10.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =2.4.0-alpha.2, =2.4.0-alpha.2, =0.1.2, =0.0.1-alpha.0, =0.7.14, =0.2.0, =3.32.0, =3.33.0 and more Source cves: CVE-2026-33131, CVE-2026-33732 Source advisory: SNYK:JS-SRVX-15790571...

GHSA-P36Q-Q72M-GCHR srvx is vulnerable to middleware bypass via absolute URI in request line

Summary A pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Details When Node.js receives an absolute URI in the request line e.g. GET file://hehe?/internal/run...

@abysslabs/cli (=0.0.2), @eventodaigreja/ei-components (>=0.1.25 <=0.1.38) +21 more potentially affected by CVE-2026-33131 via h3 (>=2.0.0 <=2.0.1-rc.14)

h3 NPM version =2.0.0, =0.1.25, =3.23.1-20260131-121433-34f631e, =1.154.7, =1.154.7, =1.154.7, =1.154.7, =1.154.7, =1.154.7, =1.154.7, =1.154.7, =0.1.7, =0.3.1-beta.5, =0.0.1-beta.1, =0.0.1-beta.7 and more Source cves: CVE-2026-33131 Source advisory: OSV:GHSA-3VJ8-JMXQ-CGJ5...

CVE-2026-33131

creationtimestamp| type| source ---|---|--- 2026-03-17 11:50:55+00:00| published-proof-of-concept| https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5 2026-03-20 13:53:55+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhio42zzri2u 2026-03-20 21:40:09+00:00| seen|...