Route level CORS config overrides connection level defaults

2015-12-28T17:17:36
ID NODEJS:65
Type nodejs
Reporter Eran Hammer
Modified 2018-05-08T14:27:01

Description

Overview

Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.

Recommendation

Update hapi to version 11.1.4 or later.

References

Issue #2980