CVE-2026-33732: CWE-706: Use of Incorrectly-Resolved Name or Reference in h3js srvx
A vulnerability in h3js srvx versions prior to 0. 11. 13 allows middleware bypass due to a pathname parsing discrepancy in the FastURL constructor. This occurs when a raw HTTP request uses an absolute URI with a non-standard scheme such as file://. The issue is resolved starting in version 0. 11. 13 by changing FastURL to use the native URL constructor for strings not starting with '/'. The CVSS score is 4. 8, indicating medium severity.
AI Analysis
Technical Summary
The vulnerability CVE-2026-33732 affects the srvx universal server component of h3js before version 0.11.13. It arises from incorrect pathname parsing in the FastURL constructor when handling raw HTTP requests containing absolute URIs with non-standard schemes (e.g., file://). This parsing discrepancy can lead to middleware bypass on the Node.js adapter. The fix implemented in version 0.11.13 changes FastURL to defer to the native URL constructor for any input string not starting with a slash, ensuring consistent and correct pathname resolution.
Potential Impact
An attacker can craft a raw HTTP request with an absolute URI using a non-standard scheme to bypass middleware protections in srvx versions before 0.11.13. The impact includes limited confidentiality and integrity loss but no availability impact, as reflected by the CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade srvx to version 0.11.13 or later, where the FastURL constructor has been updated to use the native URL parser for non-root-relative strings, eliminating the pathname parsing discrepancy. Since no patch links are provided, users should obtain the fix from the official h3js release corresponding to version 0.11.13. No additional mitigation steps are indicated.
CVE-2026-33732: CWE-706: Use of Incorrectly-Resolved Name or Reference in h3js srvx
Description
A vulnerability in h3js srvx versions prior to 0. 11. 13 allows middleware bypass due to a pathname parsing discrepancy in the FastURL constructor. This occurs when a raw HTTP request uses an absolute URI with a non-standard scheme such as file://. The issue is resolved starting in version 0. 11. 13 by changing FastURL to use the native URL constructor for strings not starting with '/'. The CVSS score is 4. 8, indicating medium severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-33732 affects the srvx universal server component of h3js before version 0.11.13. It arises from incorrect pathname parsing in the FastURL constructor when handling raw HTTP requests containing absolute URIs with non-standard schemes (e.g., file://). This parsing discrepancy can lead to middleware bypass on the Node.js adapter. The fix implemented in version 0.11.13 changes FastURL to defer to the native URL constructor for any input string not starting with a slash, ensuring consistent and correct pathname resolution.
Potential Impact
An attacker can craft a raw HTTP request with an absolute URI using a non-standard scheme to bypass middleware protections in srvx versions before 0.11.13. The impact includes limited confidentiality and integrity loss but no availability impact, as reflected by the CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade srvx to version 0.11.13 or later, where the FastURL constructor has been updated to use the native URL parser for non-root-relative strings, eliminating the pathname parsing discrepancy. Since no patch links are provided, users should obtain the fix from the official h3js release corresponding to version 0.11.13. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T17:34:57.560Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c570d8f4197a8e3bef1f11
Added to database: 3/26/2026, 5:46:00 PM
Last enriched: 4/3/2026, 1:39:54 PM
Last updated: 5/10/2026, 9:48:48 AM
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.