CVE-2026-33732

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, the `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.

## Summary A pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). ## Details When Node.js receives an absolute URI in the request line (e.g. `GET file://hehe?/internal/run HTTP/1.1`), `req.url` is set verbatim to `file://hehe?/internal/run`. Since this doesn't start with `/`, `NodeRequestURL` passes it directly to `FastURL` as a string, which stores it in `#href` for lazy manual parsing. `FastURL#getPos()` locates the pathname by finding `://` then scanning for the next `/` — but this fails for URLs like `file://hehe?/internal/run` where a `?` appears before the first `/` after the authority. The manual parser extracts pathname as `/internal/run`, while native `URL` correctly parses it as pathname `/` with search `?/internal/run`. This discrepancy means the router (using the fast-path) matches `/internal/run`, but if any middleware triggers a deopt to native `URL` (e.g. by accessing `hostname`), subsequent middleware sees a different pathname — bypassing route-based middleware guards. This is a bypass of [CVE-2026-33131](https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5). ## Impact Route-based middleware (auth guards, rate limiters, etc.) can be bypassed on the Node.js adapter when a prior middleware triggers `FastURL` deopt. Requires sending a raw HTTP request (not possible from browsers). ## Fix srvx `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.

## Summary A pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). ## Details When Node.js receives an absolute URI in the request line (e.g. `GET file://hehe?/internal/run HTTP/1.1`), `req.url` is set verbatim to `file://hehe?/internal/run`. Since this doesn't start with `/`, `NodeRequestURL` passes it directly to `FastURL` as a string, which stores it in `#href` for lazy manual parsing. `FastURL#getPos()` locates the pathname by finding `://` then scanning for the next `/` — but this fails for URLs like `file://hehe?/internal/run` where a `?` appears before the first `/` after the authority. The manual parser extracts pathname as `/internal/run`, while native `URL` correctly parses it as pathname `/` with search `?/internal/run`. This discrepancy means the router (using the fast-path) matches `/internal/run`, but if any middleware triggers a deopt to native `URL` (e.g. by accessing `hostname`), subsequent middleware sees a different pathname — bypassing route-based middleware guards. This is a bypass of [CVE-2026-33131](https://github.com/h3js/h3/security/advisories/GHSA-3vj8-jmxq-cgj5). ## Impact Route-based middleware (auth guards, rate limiters, etc.) can be bypassed on the Node.js adapter when a prior middleware triggers `FastURL` deopt. Requires sending a raw HTTP request (not possible from browsers). ## Fix srvx `FastURL` constructor now deopts to native `URL` for any string not starting with `/`, ensuring consistent pathname resolution.

srvx es un servidor universal basado en estándares web. Antes de la versión 0.11.13, una discrepancia en el análisis de rutas en el 'FastURL' de srvx permite la omisión de middleware en el adaptador de Node.js cuando una solicitud HTTP sin procesar utiliza una URI absoluta con un esquema no estándar (por ejemplo, 'file://'). A partir de la versión 0.11.13, el constructor 'FastURL' ahora recurre a la 'URL' nativa para cualquier cadena que no comience con '/', asegurando una resolución de rutas consistente.