GMS-2015-57: Route level CORS config overrides connection level defaults

December 28, 2015

When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

References

github.com/hapijs/hapi/issues/2980

Code Behaviors & Features

Detect and mitigate GMS-2015-57 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →