CVE-2015-9243

Vulnerability

The hapi node module before version 11.1.4 mishandles the combination of Cross-Origin Resource Sharing (CORS) configurations defined at server, connection, and route levels. When a higher-level configuration (e.g., server or connection level) includes security restrictions such as a specific origin, and a lower-level route configuration is provided, the higher-level restrictions are overridden by the route's defaults (e.g., origin defaults to '*'). This affects all versions prior to 11.1.4. [1][2]

Exploitation

An attacker needs only the ability to make cross-origin requests to a hapi endpoint that uses combined CORS configurations. No authentication or special network position is required. The attacker can craft a request from any origin and, due to the override, the server may respond with access-control-allow-origin: * or another permissive header, even if a stricter origin was intended. [2]

Impact

Successful exploitation allows an attacker to bypass the intended CORS restrictions. This can result in unauthorized cross-origin data access, such as reading sensitive responses from the vulnerable endpoint, leading to information disclosure. The impact is at the application logic level, as the permissive CORS policy may allow malicious websites to interact with the API on behalf of a user. [1][2]

Mitigation

The fix was released in hapi version 11.1.4 on an unspecified date. Users should upgrade to 11.1.4 or later. No known workarounds are documented for earlier versions. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]