CVE-2015-9236: Exposure of Sensitive Information to an Unauthorized Actor

June 7, 2018 (updated January 8, 2021)

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

References

github.com/advisories/GHSA-vwrf-r5r4-7775
github.com/hapijs/hapi/issues/2840
github.com/hapijs/hapi/issues/2850
nodesecurity.io/advisories/45
nvd.nist.gov/vuln/detail/CVE-2015-9236
www.npmjs.com/advisories/45

Code Behaviors & Features

Detect and mitigate CVE-2015-9236 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →