Severity: moderate

Unsafe Merging of CORS Configuration Conflict



Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.


Update hapi to version 11.1.4 or later.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Dec 28th, 2015
  2. reported

    Initial report by Eran Hammer
    Dec 28th, 2015