Skip to main content

Node.js EUVDEUVD-2026-16291

| CVE-2026-33732 MEDIUM
Use of Incorrectly-Resolved Name or Reference (CWE-706)
2026-03-26 https://github.com/h3js/srvx GHSA-p36q-q72m-gchr
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 26, 2026 - 17:00 euvd
EUVD-2026-16291
Analysis Generated
Mar 26, 2026 - 17:00 vuln.today
Patch released
Mar 26, 2026 - 17:00 nvd
Patch available
CVE Published
Mar 26, 2026 - 16:52 nvd
MEDIUM 4.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 npm packages depend on srvx (4 direct, 6 indirect)

Ecosystem-wide dependent count for version 0.11.13.

DescriptionGitHub Advisory

Summary

A pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. file://).

Details

When Node.js receives an absolute URI in the request line (e.g. GET file://hehe?/internal/run HTTP/1.1), req.url is set verbatim to file://hehe?/internal/run. Since this doesn't start with /, NodeRequestURL passes it directly to FastURL as a string, which stores it in #href for lazy manual parsing.

FastURL#getPos() locates the pathname by finding :// then scanning for the next / - but this fails for URLs like file://hehe?/internal/run where a ? appears before the first / after the authority. The manual parser extracts pathname as /internal/run, while native URL correctly parses it as pathname / with search ?/internal/run.

This discrepancy means the router (using the fast-path) matches /internal/run, but if any middleware triggers a deopt to native URL (e.g. by accessing hostname), subsequent middleware sees a different pathname - bypassing route-based middleware guards.

This is a bypass of CVE-2026-33131.

Impact

Route-based middleware (auth guards, rate limiters, etc.) can be bypassed on the Node.js adapter when a prior middleware triggers FastURL deopt. Requires sending a raw HTTP request (not possible from browsers).

Fix

srvx FastURL constructor now deopts to native URL for any string not starting with /, ensuring consistent pathname resolution.

AnalysisAI

srvx's FastURL pathname parser on Node.js can be bypassed to circumvent route-based middleware (authentication guards, rate limiters) when absolute URIs with non-standard schemes are sent in raw HTTP requests. An attacker sending a crafted request like GET file://hehe?/internal/run HTTP/1.1 can cause the router to match a different pathname than what downstream middleware sees after a deoptimization occurs, allowing access to protected endpoints. This affects srvx versions prior to 0.11.13, requires direct HTTP request capability (not browser-accessible), and has a CVSS score of 4.8 with medium complexity attack requirements. No public exploit identified at time of analysis.

Technical ContextAI

The vulnerability exists in srvx's FastURL implementation (cpe:npm/srvx), a URL parsing optimization layer for the Node.js adapter. FastURL uses a fast-path manual parser that locates pathname by finding :// and then scanning for the next / character. However, for URLs containing a ? query delimiter before the first / in the authority section (e.g., file://hehe?/internal/run), the manual parser incorrectly extracts /internal/run as the pathname. The native JavaScript URL API correctly parses this as pathname / with search string ?/internal/run. When middleware triggers a deoptimization by accessing properties like hostname, FastURL falls back to native URL parsing, creating an inconsistency: the router matched routes based on the fast-path result (/internal/run), but subsequent middleware operates on the native-parsed result (/), allowing circumvention of path-based security controls. This represents a parsing discrepancy vulnerability (CWE-706) and is a bypass of the earlier CVE-2026-33131.

RemediationAI

Upgrade srvx to version 0.11.13 or later immediately. The vendor's fix ensures FastURL deopts to native URL parsing for any string not starting with /, eliminating the pathname discrepancy. Until patching is possible, implement network-level protections: restrict raw HTTP request access (non-browser) at reverse proxy or firewall level, enforce strict input validation on request URIs to reject non-standard schemes, and validate that all middleware chains consistently use the same pathname resolution method. See https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa for technical details of the fix.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-16291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy