CVE-2026-48038
MEDIUM
5.3
CVSS 3.1
Description
joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link() schemas. When validate() is called without try/catch in a request handler, deeply nested input can trigger an unhandled RangeError and potentially crash the process; lower-impact paths using validateAsync() or try/catch produce a RangeError instead of a structured ValidationError. This issue is fixed in versions 17.13.4 and 18.2.1.
Metadata
Severity & Metrics
5.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| hapijs | joi | — | < 17.13.4, >= 18.0.0, < 18.2.1 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-248 | cna | CWE-248: Uncaught Exception |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 5.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (4)
- https://github.com/hapijs/joi/security/advisories/GHSA-q7cg-457f-vx79 https://github.com/hapijs/joi/security/advisories/GHSA-q7cg-457f-vx79
- https://github.com/hapijs/joi/pull/3113 https://github.com/hapijs/joi/pull/3113
- https://github.com/hapijs/joi/commit/97bd51de94d595a2d8949eb3bec0dbdd2f8a7a74 https://github.com/hapijs/joi/commit/97bd51de94d595a2d8949eb3bec0dbdd2f8a7a74
- https://github.com/hapijs/joi/commit/fc146a628ab9cc250854407722d9f8738c9548e7 https://github.com/hapijs/joi/commit/fc146a628ab9cc250854407722d9f8738c9548e7