CVE-2026-33732: srvx is vulnerable to middleware bypass via absolute URI in request line

March 26, 2026

A pathname parsing discrepancy in srvx’s FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. file://).

References

github.com/advisories/GHSA-p36q-q72m-gchr
github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr
github.com/h3js/srvx
github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa
github.com/h3js/srvx/releases/tag/v0.11.13
nvd.nist.gov/vuln/detail/CVE-2026-33732

Code Behaviors & Features

Detect and mitigate CVE-2026-33732 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →