Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 5.3 npm

joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas

GHSA-q7cg-457f-vx79 · CVE-2026-48038

Published · Modified

Description

Impact

Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.

The blast radius depends on how the application invokes joi:

  • Highest impact: validate() called without try/catch in a request handler would cause an unhandled exception, potentially crashing the process.
  • Lower impact: validateAsync() or validate() inside a try/catch, the validation fails, but the error type is RangeError rather than a structured ValidationError, complicating error handling.

Patches

Upgrade to version >= 18.2.1.

Workarounds

Try/catch the validation to avoid uncaught exceptions.

References

  • Pull request: hapijs/joi#3113

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes