HIGH Severity: @tus/server Middleware Bypass via srvx Vulnerability (CVE GHSA-p36q-q72m-gchr)

A high-severity security vulnerability has been identified in the `@tus/server` package, enabling a potential middleware bypass in its resumable upload endpoint. The flaw, tracked as CVE GHSA-p36q-q72m-gchr, stems from a weakness in the underlying `srvx` dependency, allowing attackers to circumvent critical security controls by using an absolute URI.

The vulnerability specifically affects `@tus/server` versions `^2.3.0`, as these depend on a vulnerable version of `srvx` (any version below `0.11.13`). This creates a direct path for exploitation in any application using the package for file uploads. The core issue resides in the `srvx` middleware, where improper URI handling can be manipulated to bypass intended security and validation layers.

Developers have three immediate mitigation paths: downgrade to the pre-srvx version `@tus/[email protected]`; wait for the upcoming patched release `@tus/[email protected]+`; or, for projects using npm, pin the `srvx` dependency to the secure version `>=0.11.13` via npm overrides. The affected files in a typical codebase include `package.json` and the service implementation file, such as `tusService.js`. The MIT license status remains unaffected, but the operational security risk for deployed services is significant until remediation is applied.