Unsafe Merging of CORS Configuration Conflicthapi
hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.
Update hapi to version 11.1.4 or later.
publishedAdvisory publishedDec 28th, 2015
reportedInitial report by Eran HammerDec 28th, 2015