GHSA-q7cg-457f-vx79
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q7cg-457f-vx79
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-q7cg-457f-vx79/GHSA-q7cg-457f-vx79.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q7cg-457f-vx79
- Aliases
-
- CVE-2026-48038
- Downstream
- Related
- Published
- 2026-06-11T13:27:32Z
- Modified
- 2026-06-17T21:59:16.843156892Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
- Details
-
Impact
Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.
The blast radius depends on how the application invokes joi: - Highest impact:
validate()called withouttry/catchin a request handler would cause an unhandled exception, potentially crashing the process. - Lower impact:validateAsync()orvalidate()inside atry/catch, the validation fails, but the error type isRangeErrorrather than a structuredValidationError, complicating error handling.Patches
Upgrade to version >= 18.2.1.
Workarounds
Try/catch the validation to avoid uncaught exceptions.
References
- Pull request: hapijs/joi#3113
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-11T13:27:32Z", "nvd_published_at": null, "severity": "MODERATE", "cwe_ids": [ "CWE-248", "CWE-400" ] }- References
Affected packages
npm / joi
Package
- Name
- joi
- View open source insights on deps.dev
- Purl
- pkg:npm/joi
npm / joi
Package
- Name
- joi
- View open source insights on deps.dev
- Purl
- pkg:npm/joi