The vulnerability identified as CVE-2026-33732 affects the srvx universal server component of the h3js project, specifically versions prior to 0.11.13. The root cause is a pathname parsing discrepancy within the FastURL constructor used by srvx's Node.js adapter. When srvx processes raw HTTP requests containing absolute URIs with non-standard schemes (e.g., file://), the FastURL component incorrectly resolves the pathname. This flaw allows attackers to bypass middleware protections that rely on accurate pathname parsing, potentially enabling unauthorized access or manipulation of server-side resources. The vulnerability is categorized under CWE-706, which involves the use of incorrectly resolved names or references leading to security issues. To address this, starting with version 0.11.13, the FastURL constructor defers to the native URL implementation for any input string not beginning with a forward slash (/), ensuring consistent and secure pathname resolution. The CVSS 3.1 base score is 4.8, reflecting a medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, and limited impact on confidentiality and integrity but no impact on availability. No public exploits have been reported, but the vulnerability could be leveraged in scenarios where attackers can send crafted HTTP requests directly to the Node.js adapter of srvx servers.

The primary impact of this vulnerability is the potential bypass of middleware security controls in srvx servers running vulnerable versions. Middleware often enforces authentication, authorization, logging, or input validation; bypassing it could allow attackers to access restricted resources or perform unauthorized actions, leading to partial confidentiality and integrity breaches. Although the attack complexity is high and no known exploits exist, organizations relying on srvx for critical web services may face risks of unauthorized data exposure or manipulation if attackers exploit this flaw. The vulnerability does not affect availability, and no authentication or user interaction is required, increasing the risk in exposed network environments. The scope is limited to srvx servers using the Node.js adapter and processing raw HTTP requests with absolute URIs containing non-standard schemes, which may reduce the overall attack surface but still poses a tangible risk for affected deployments.

Organizations should upgrade all srvx deployments to version 0.11.13 or later, where the vulnerability is fixed by using the native URL constructor for pathname resolution. In addition to patching, administrators should audit their srvx configurations to restrict or validate incoming HTTP requests, especially those containing absolute URIs with uncommon schemes. Implement network-level controls such as web application firewalls (WAFs) to detect and block suspicious requests that attempt to exploit pathname parsing discrepancies. Logging and monitoring should be enhanced to identify unusual request patterns targeting the Node.js adapter. If immediate patching is not feasible, consider isolating srvx servers behind strict access controls and limiting exposure to untrusted networks. Developers should review middleware logic to ensure it does not rely solely on pathname parsing for security decisions and incorporate defense-in-depth strategies.