๐Ÿ” CVE Alert

CVE-2026-48038

MEDIUM 5.3

joi: Uncaught RangeError on deeply nested input through recursive `link()` schemas

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link() schemas. When validate() is called without try/catch in a request handler, deeply nested input can trigger an unhandled RangeError and potentially crash the process; lower-impact paths using validateAsync() or try/catch produce a RangeError instead of a structured ValidationError. This issue is fixed in versions 17.13.4 and 18.2.1.

CWE CWE-248
Vendor hapijs
Product joi
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for hapijs joi

Be the first to know when new medium vulnerabilities affecting hapijs joi are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Affected Versions

hapijs / joi
< 17.13.4 >= 18.0.0, < 18.2.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/hapijs/joi/security/advisories/GHSA-q7cg-457f-vx79 github.com: https://github.com/hapijs/joi/pull/3113 github.com: https://github.com/hapijs/joi/commit/97bd51de94d595a2d8949eb3bec0dbdd2f8a7a74 github.com: https://github.com/hapijs/joi/commit/fc146a628ab9cc250854407722d9f8738c9548e7