CORS Misconfiguration in hapi Module for Node.js
CVE-2015-9243

5.9MEDIUM

Key Information:

Vendor

Hackerone

Status
Hapi Node Module
Vendor
CVE Published:
29 May 2018

What is CVE-2015-9243?

The hapi Node.js module prior to version 11.1.4 contains a vulnerability related to Cross-Origin Resource Sharing (CORS) configurations. When server level, connection level, or route level CORS setups are combined, security restrictions such as the origin can be unintentionally overridden. This occurs when a less restrictive default configuration (like allowing all origins with *) takes precedence over more stringent rules, leading to potential security risks for web applications relying on proper CORS settings. Developers using affected versions should upgrade to version 11.1.4 or later to ensure their CORS settings enforce the intended security policies.

Affected Version(s)

hapi node module <11.1.4

References

https://github.com/hapijs/hapi/issues/2980
x_refsource_MISC
https://nodesecurity.io/advisories/65
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.