Versions of `hapi` prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.

## Recommendation

Update hapi to version 11.1.4 or later.

Affected Packages

npm hapi

Affected versions: 0 (fixed in 11.1.4)

Related CVEs

CVE-2015-9243

Key Information

GHSA ID

GHSA-j3g2-m5jj-6336

Published

September 1, 2020 3:20 PM

Last Modified

August 31, 2020 6:09 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

hapi

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.