CORS Bypass

Affecting hapi package, versions <11.0.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Hapi v11.0.0 and below have an incorrect implementation of the CORS protocol, and allow for configurations that, at best, return inconsistent headers and, at worst, cross-origin activities that are expected to be forbidden.

Details

If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

Remediation

Upgrade to a version 11.0.0 or greater.

References

CVSS Score

3.7
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Eran Hammer
CVE
CVE-2015-9236
CWE
CWE-284
Snyk ID
npm:hapi:20151020
Disclosed
20 Oct, 2015
Published
06 Nov, 2015