Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 10 npm packages depend on srvx (4 direct, 6 indirect)
Ecosystem-wide dependent count for version 0.11.13.
DescriptionGitHub Advisory
Summary
A pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. file://).
Details
When Node.js receives an absolute URI in the request line (e.g. GET file://hehe?/internal/run HTTP/1.1), req.url is set verbatim to file://hehe?/internal/run. Since this doesn't start with /, NodeRequestURL passes it directly to FastURL as a string, which stores it in #href for lazy manual parsing.
FastURL#getPos() locates the pathname by finding :// then scanning for the next / - but this fails for URLs like file://hehe?/internal/run where a ? appears before the first / after the authority. The manual parser extracts pathname as /internal/run, while native URL correctly parses it as pathname / with search ?/internal/run.
This discrepancy means the router (using the fast-path) matches /internal/run, but if any middleware triggers a deopt to native URL (e.g. by accessing hostname), subsequent middleware sees a different pathname - bypassing route-based middleware guards.
This is a bypass of CVE-2026-33131.
Impact
Route-based middleware (auth guards, rate limiters, etc.) can be bypassed on the Node.js adapter when a prior middleware triggers FastURL deopt. Requires sending a raw HTTP request (not possible from browsers).
Fix
srvx FastURL constructor now deopts to native URL for any string not starting with /, ensuring consistent pathname resolution.
AnalysisAI
srvx's FastURL pathname parser on Node.js can be bypassed to circumvent route-based middleware (authentication guards, rate limiters) when absolute URIs with non-standard schemes are sent in raw HTTP requests. An attacker sending a crafted request like GET file://hehe?/internal/run HTTP/1.1 can cause the router to match a different pathname than what downstream middleware sees after a deoptimization occurs, allowing access to protected endpoints. This affects srvx versions prior to 0.11.13, requires direct HTTP request capability (not browser-accessible), and has a CVSS score of 4.8 with medium complexity attack requirements. No public exploit identified at time of analysis.
Technical ContextAI
The vulnerability exists in srvx's FastURL implementation (cpe:npm/srvx), a URL parsing optimization layer for the Node.js adapter. FastURL uses a fast-path manual parser that locates pathname by finding :// and then scanning for the next / character. However, for URLs containing a ? query delimiter before the first / in the authority section (e.g., file://hehe?/internal/run), the manual parser incorrectly extracts /internal/run as the pathname. The native JavaScript URL API correctly parses this as pathname / with search string ?/internal/run. When middleware triggers a deoptimization by accessing properties like hostname, FastURL falls back to native URL parsing, creating an inconsistency: the router matched routes based on the fast-path result (/internal/run), but subsequent middleware operates on the native-parsed result (/), allowing circumvention of path-based security controls. This represents a parsing discrepancy vulnerability (CWE-706) and is a bypass of the earlier CVE-2026-33131.
RemediationAI
Upgrade srvx to version 0.11.13 or later immediately. The vendor's fix ensures FastURL deopts to native URL parsing for any string not starting with /, eliminating the pathname discrepancy. Until patching is possible, implement network-level protections: restrict raw HTTP request access (non-browser) at reverse proxy or firewall level, enforce strict input validation on request URIs to reject non-standard schemes, and validate that all middleware chains consistently use the same pathname resolution method. See https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa for technical details of the fix.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16291
GHSA-p36q-q72m-gchr