CVE-2026-33732

{"id": "CVE-2026-33732", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-03-26T18:16:31.430", "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/h3js/srvx/releases/tag/v0.11.13", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-706"}]}], "descriptions": [{"lang": "en", "value": "srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution."}, {"lang": "es", "value": "srvx es un servidor universal basado en est\u00e1ndares web. Antes de la versi\u00f3n 0.11.13, una discrepancia en el an\u00e1lisis de rutas en el 'FastURL' de srvx permite la omisi\u00f3n de middleware en el adaptador de Node.js cuando una solicitud HTTP sin procesar utiliza una URI absoluta con un esquema no est\u00e1ndar (por ejemplo, 'file://'). A partir de la versi\u00f3n 0.11.13, el constructor 'FastURL' ahora recurre a la 'URL' nativa para cualquier cadena que no comience con '/', asegurando una resoluci\u00f3n de rutas consistente."}], "lastModified": "2026-04-02T18:41:11.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:h3:srvx:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B8FAD178-5888-4A2F-B296-86871B71B721", "versionEndExcluding": "0.11.13"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}