CVE-2026-33732 Overview
CVE-2026-33732 is an authorization bypass vulnerability in srvx, a universal server based on web standards. A pathname parsing discrepancy in srvx's FastURL class allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g., file://). This inconsistency in URL parsing enables attackers to potentially circumvent security middleware that relies on pathname validation.
Critical Impact
Attackers can bypass authentication and authorization middleware by crafting HTTP requests with absolute URIs using non-standard schemes, potentially gaining unauthorized access to protected endpoints.
Affected Products
- srvx versions prior to 0.11.13
- Applications using srvx Node.js adapter with pathname-based middleware
- h3 framework implementations relying on srvx URL parsing
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33732 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33732
Vulnerability Analysis
The vulnerability exists in the FastURL constructor within srvx's URL parsing implementation. When processing URL strings, the original code stored the raw URL string directly as the internal href value without validating whether the URL was a relative path or an absolute URI. This created a parsing discrepancy where absolute URIs with non-standard schemes (such as file://) would be processed differently than expected by downstream middleware.
The core issue stems from inconsistent pathname resolution between the FastURL implementation and the native URL API. When middleware components rely on the pathname property for access control decisions, an attacker could craft requests with absolute URIs that resolve to unexpected pathname values, effectively bypassing security checks.
Root Cause
The root cause is classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference). The FastURL constructor failed to distinguish between relative paths starting with / and absolute URIs containing scheme prefixes. This oversight meant that strings like file://localhost/admin would not be properly parsed through the native URL API, resulting in incorrect pathname extraction that security middleware would interpret differently than intended.
Attack Vector
The attack vector is network-based and requires the attacker to send specially crafted HTTP requests to the vulnerable Node.js application. By using an absolute URI with a non-standard scheme in the HTTP request line (rather than the typical relative path), an attacker can cause the FastURL class to misparse the pathname. If middleware uses this pathname for authorization decisions, the attacker may access restricted resources.
For example, a request like GET file://localhost/admin/sensitive-endpoint HTTP/1.1 might bypass middleware that checks if the pathname starts with /admin/ because the FastURL implementation would not correctly extract the pathname from the absolute URI.
The security patch addresses this by detecting URLs that don't start with / and delegating parsing to the native URL constructor:
constructor(url: string | URLInit) {
if (typeof url === "string") {
- this.#href = url;
+ if (url[0] === "/") {
+ this.#href = url;
+ } else {
+ this.#url = new NativeURL(url);
+ }
} else if (_needsNormRE.test(url.pathname)) {
this.#url = new NativeURL(
`${url.protocol || "http:\"}//${url.host || "localhost"}${url.pathname}${url.search || ""}`,
Source: GitHub Commit Details
Detection Methods for CVE-2026-33732
Indicators of Compromise
- HTTP requests containing absolute URIs with non-standard schemes (e.g., file://, ftp://, custom://) in the request line
- Unusual access patterns to protected endpoints from requests with malformed or unexpected URI formats
- Web server logs showing requests that bypass expected middleware processing
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block HTTP requests with absolute URIs containing non-standard schemes
- Monitor application logs for requests where the raw request URI contains scheme prefixes like file:// or other non-HTTP protocols
- Deploy intrusion detection signatures that flag HTTP request lines not starting with a forward slash
Monitoring Recommendations
- Enable verbose logging on srvx-based applications to capture full request URIs
- Set up alerts for any requests that trigger authorization errors after appearing to access protected routes
- Review application access logs for patterns indicating middleware bypass attempts
How to Mitigate CVE-2026-33732
Immediate Actions Required
- Upgrade srvx to version 0.11.13 or later immediately
- Audit any middleware that relies on pathname parsing for security decisions
- Review recent access logs for evidence of exploitation attempts using non-standard URI schemes
Patch Information
The vulnerability is fixed in srvx version 0.11.13. The patch modifies the FastURL constructor to deopt to the native URL API for any string not starting with /, ensuring consistent pathname resolution across all URI formats. The fix is available in commit de0d699.
For more information, see the GitHub Security Advisory and the GitHub Release v0.11.13.
Workarounds
- Implement additional request validation at the web server or reverse proxy level to reject requests with absolute URIs
- Add custom middleware that validates request URIs before processing, ensuring all requests use relative paths
- Configure your reverse proxy (nginx, Apache) to normalize requests before forwarding to the Node.js application
# Example nginx configuration to reject absolute URIs
location / {
# Block requests with absolute URIs containing schemes
if ($request_uri ~* "^[a-zA-Z]+://") {
return 400;
}
proxy_pass http://nodejs_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
