CVE-2026-33732

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Starting in version 0.11.13, the...

Use of Incorrectly-Resolved Name or Reference

Overview srvx is an Universal Server. Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference in the FastURL function due to a pathname parsing discrepancy when handling absolute URIs with non-standard schemes in raw HTTP requests. An attacker can bypass...

CVE-2026-33732

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Starting in version 0.11.13, the...

CVE-2026-33732 srvx is vulnerable to middleware bypass via absolute URI in request line

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Starting in version 0.11.13, the...

CVE-2026-33732

The srvx vulnerability CVE-2026-33732 affects the Node.js adapter prior to version 0.11.13, where FastURL’s pathname parsing could mis-handle absolute URIs with non-standard schemes (e.g., file://). This allowed bypass of route-based middleware because FastURL would later deopt to the native URL ...

CVE-2026-33732 srvx is vulnerable to middleware bypass via absolute URI in request line

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Starting in version 0.11.13, the...

GHSA-P36Q-Q72M-GCHR srvx is vulnerable to middleware bypass via absolute URI in request line

Summary A pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Details When Node.js receives an absolute URI in the request line e.g. GET file://hehe?/internal/run...

PT-2026-28517

Name of the Vulnerable Software and Affected Versions srvx versions prior to 0.11.13 Description srvx is a universal server based on web standards. A discrepancy in pathname parsing within srvx's FastURL component allows bypassing middleware on the Node.js adapter. This occurs when a raw HTTP...

srvx 安全漏洞

Srvx is a web-based general server developed by H3 Open Source. Versions of Srvx prior to 0.11.13 contained security vulnerabilities. These vulnerabilities were caused by differences in path name resolution in FastURL, which could allow middleware to bypass security measures...

CVE-2026-33131

H3 is a minimal HTTP framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl which extends FastURL which allows middleware bypass. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url...

CVE-2026-33131 h3 has a middleware bypass with one gadget

H3 is a minimal HTTP framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl which extends FastURL which allows middleware bypass. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url...

Directory Traversal

Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access arbitrary files outside the intended static directory by sending crafted...

PT-2026-26194

H3 NodeRequestUrl bugs Vulnerable pieces of code : js import H3, serve, defineHandler, getQuery, getHeaders, readBody, defineNodeHandler from "h3"; let app = new H3 const internalOnly = defineHandlerevent, next = const token = event.headers.get"x-internal-key"; if token !==...