CVE-2026-48038

Summary

joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link() schemas. When validate() is called without try/catch in a request handler, deeply nested input can trigger an unhandled RangeError and potentially crash the process; lower-impact paths using validateAsync() or try/catch produce a RangeError instead of a structured ValidationError. This issue is fixed in versions 17.13.4 and 18.2.1.

Affected Software

VendorProductVersion RangeStatus
hapijsjoi< 17.13.4affected
hapijsjoi>= 18.0.0, < 18.2.1affected

Weaknesses

  • CWE-248: CWE-248: Uncaught Exception

References