CVE-2015-9236
Description
Hapi versions older than 11.0.0 mishandle CORS per-route configuration, causing inconsistent headers that can bypass intended cross-origin restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hapi versions older than 11.0.0 mishandle CORS per-route configuration, causing inconsistent headers that can bypass intended cross-origin restrictions.
Vulnerability
CVE-2015-9236 affects the Hapi.js web framework in versions prior to 11.0.0. The framework's CORS (Cross-Origin Resource Sharing) implementation incorrectly handles per-route CORS configuration when the connection-level CORS is enabled. If a single route has CORS disabled and the route's HTTP method is not GET, the OPTIONS preflight request returns default CORS headers (because the server handles OPTIONS at the connection level), but the actual request to that route returns no CORS headers. This inconsistency defeats the purpose of disabling CORS on the route, potentially allowing cross-origin requests that were intended to be forbidden [1][2][4].
Exploitation
An attacker needs the ability to send cross-origin HTTP requests to a Hapi application where the server has CORS enabled globally, but at least one non-GET route has CORS explicitly disabled. The attacker first triggers an OPTIONS preflight request; the server responds with CORS headers (e.g., Access-Control-Allow-Origin: *) because the OPTIONS handler inherits the global setting. The browser then proceeds to send the actual request (e.g., POST, PUT, DELETE) to that route. Since the route itself does not return CORS headers on the real response, the browser would normally block the response, but in many implementations the preflight approval alone can lead to unintended exposure or allow reading of the response if the server side does not enforce proper checks [1][3].
Impact
Successful exploitation enables cross-origin activities that should have been forbidden. At best, clients receive inconsistent CORS headers leading to unexpected behavior; at worst, a malicious website can make cross-origin requests to protected routes and potentially read the response, leading to information disclosure or unauthorized state-changing operations. The vulnerability undermines the developer’s intent to disable CORS on sensitive routes [1][2][4].
Mitigation
Upgrade to Hapi version 11.0.0 or later. This release rewrites the CORS implementation to be truly per-route, removing the global catch-all behavior and ensuring preflight headers are only set on preflight responses [2][3]. No other workarounds are provided by the vendor. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hapinpm | < 11.0.0 | 11.0.0 |
Affected products
2- Range: <11.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-vwrf-r5r4-7775ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-9236ghsaADVISORY
- github.com/hapijs/hapi/issues/2840ghsax_refsource_MISCWEB
- github.com/hapijs/hapi/issues/2850ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/45mitrex_refsource_MISC
- www.npmjs.com/advisories/45ghsaWEB
News mentions
0No linked articles in our index yet.