Описание
Unsafe Merging of CORS Configuration Conflict in hapi
Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.
Recommendation
Update hapi to version 11.1.4 or later.
Пакеты
Наименование
hapi
npm
Затронутые версииВерсия исправления
< 11.1.4
11.1.4
Связанные уязвимости
CVSS3: 5.9
nvd
больше 7 лет назад
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`).