GHSA-q7cg-457f-vx79MediumCVSS 5.3

joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas

Published
June 11, 2026
Last Modified
June 12, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.

The blast radius depends on how the application invokes joi:

  • Highest impact: validate() called without try/catch in a request handler would cause an unhandled exception, potentially crashing the process.
  • Lower impact: validateAsync() or validate() inside a try/catch, the validation fails, but the error type is RangeError rather than a structured ValidationError, complicating error handling.

Patches

Upgrade to version >= 18.2.1.

Workarounds

Try/catch the validation to avoid uncaught exceptions.

References

  • Pull request: hapijs/joi#3113

🎯 Affected products2

  • npm/joi:>= 18.0.0, < 18.2.1
  • npm/joi:< 17.13.4

🔗 References (4)