CVE-2015-9236 — Incorrect handling of CORS preflight request headers in hapi

Description

Versions of `hapi` prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route. ## Recommendation Update to version 11.0.0 or later.

How to fix CVE-2015-9236

To remediate CVE-2015-9236, upgrade the affected package to a fixed version below.

—upgrade to 11.0.0 or later

Is CVE-2015-9236 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 11.0.0

References (5)

ADVISORYgithub.com/advisories/GHSA-vwrf-r5r4-7775
ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-9236
WEBgithub.com/hapijs/hapi/issues/2840
WEBgithub.com/hapijs/hapi/issues/2850
WEBwww.npmjs.com/advisories/45