Security Advisory

CVE-2026-33732

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-26 17:21:15

Last updated 2026-03-27 14:41:11

Assigner GitHub_M

State PUBLISHED

Description

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvxs `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.

← Browse all CVEs View on cve.org ↗