Cross-Origin Resource Sharing Misconfiguration in Hapi Framework
CVE-2015-9236

5.3MEDIUM

Key Information:

Vendor

Hackerone

Status
Hapi Node Module
Vendor
CVE Published:
31 May 2018

What is CVE-2015-9236?

The Hapi Framework prior to version 11.0.0 has a security misconfiguration regarding Cross-Origin Resource Sharing (CORS). This vulnerability allows for inconsistent CORS headers to be returned, leading to a situation where cross-origin requests can bypass restrictions intended to secure the application. Specifically, when CORS is enabled, if one route has it disabled and the request type is not a GET request, the OPTIONS preflight request may respond with the default CORS headers, creating a false sense of security. Consequently, the actual request bypasses the expected CORS checks, exposing the application to potential cross-origin attacks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

hapi node module <11.0.0

References

https://github.com/hapijs/hapi/issues/2850
x_refsource_MISC
https://github.com/hapijs/hapi/issues/2840
x_refsource_MISC
https://nodesecurity.io/advisories/45
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.