CVE-2026-48038
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link() schemas. When validate() is called without try/catch in a request handler, deeply nested input can trigger an unhandled RangeError and potentially crash the process; lower-impact paths using validateAsync() or try/catch produce a RangeError instead of a structured ValidationError. This issue is fixed in versions 17.13.4 and 18.2.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| hapijs | joi | < 17.13.4 | affected |
| hapijs | joi | >= 18.0.0, < 18.2.1 | affected |
Weaknesses
- CWE-248: CWE-248: Uncaught Exception
References
- https://github.com/hapijs/joi/security/advisories/GHSA-q7cg-457f-vx79
- https://github.com/hapijs/joi/pull/3113
- https://github.com/hapijs/joi/commit/97bd51de94d595a2d8949eb3bec0dbdd2f8a7a74
- https://github.com/hapijs/joi/commit/fc146a628ab9cc250854407722d9f8738c9548e7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.