Directory Traversal Vulnerability in @hapi/inert for hapi.js
CVE-2026-48049
5.3MEDIUM
What is CVE-2026-48049?
A directory traversal vulnerability exists in @hapi/inert versions 4.0.0 to 7.1.0, allowing unauthenticated remote attackers to potentially read sensitive files. This is due to improper confinement enforcement during static file handling, specifically when resolving file paths. An attacker could exploit this by accessing files outside the intended directory structure using crafted requests. The issue has been addressed in version 7.1.1, which includes a fix to ensure proper path validation and confinement.
Affected Version(s)
inert >= 4.0.0, < 7.1.1
