GHSA-q7cg-457f-vx79MediumCVSS 5.3
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
🔗 CVE IDs covered (1)
📋 Description
Impact
Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.
The blast radius depends on how the application invokes joi:
- Highest impact:
validate()called withouttry/catchin a request handler would cause an unhandled exception, potentially crashing the process. - Lower impact:
validateAsync()orvalidate()inside atry/catch, the validation fails, but the error type isRangeErrorrather than a structuredValidationError, complicating error handling.
Patches
Upgrade to version >= 18.2.1.
Workarounds
Try/catch the validation to avoid uncaught exceptions.
References
- Pull request: hapijs/joi#3113
🎯 Affected products2
- npm/joi:>= 18.0.0, < 18.2.1
- npm/joi:< 17.13.4