Overview
About vulnerability
Impact
Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.
The blast radius depends on how the application invokes joi:
- Highest impact:
validate()called withouttry/catchin a request handler would cause an unhandled exception, potentially crashing the process. - Lower impact:
validateAsync()orvalidate()inside atry/catch, the validation fails, but the error type isRangeErrorrather than a structuredValidationError, complicating error handling.
Patches
Upgrade to version >= 18.2.1.
Workarounds
Try/catch the validation to avoid uncaught exceptions.
Resources
- Pull request: hapijs/joi#3113
Details
- Affected product:
- Node.js , React , b4a , babel-preset-expo , bare-fs , bare-stream , cli , db0 , devtools , drizzle-orm , expo , expo-asset , expo-constants , expo-file-system , expo-linking , expo-modules-jsi , expo-router , expo-sqlite , expo-symbols , expo-widgets , joi , jpm , jsonwebtoken , masked-view , metro-runtime , nitro , nuxt , op-sqlite , sign-addon , streamx , tar-stream , teex , text-decoder , unstorage , vite , vite-dev-rpc , vite-hot-client , vite-plugin-checker , vite-plugin-inspect , vite-plugin-vue , vite-plugin-vue-inspector , vite-plugin-vue-tracer
- Affected packages:
- vite-plugin-vue-tracer @ 1.4.0 (+143 more)
Impact
Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.
The blast radius depends on how the application invokes joi:
- Highest impact:
validate()called withouttry/catchin a request handler would cause an unhandled exception, potentially crashing the process. - Lower impact:
validateAsync()orvalidate()inside atry/catch, the validation fails, but the error type isRangeErrorrather than a structuredValidationError, complicating error handling.
Patches
Upgrade to version >= 18.2.1.
Workarounds
Try/catch the validation to avoid uncaught exceptions.
Resources
- Pull request: hapijs/joi#3113