Directory Traversal Vulnerability in @hapi/inert for hapi.js
CVE-2026-48049

5.3MEDIUM

Key Information:

Vendor

Hapijs

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-48049?

A directory traversal vulnerability exists in @hapi/inert versions 4.0.0 to 7.1.0, allowing unauthenticated remote attackers to potentially read sensitive files. This is due to improper confinement enforcement during static file handling, specifically when resolving file paths. An attacker could exploit this by accessing files outside the intended directory structure using crafted requests. The issue has been addressed in version 7.1.1, which includes a fix to ensure proper path validation and confinement.

Affected Version(s)

inert >= 4.0.0, < 7.1.1

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.