From 98396076dd9026a42389093510371ae46520a9fd Mon Sep 17 00:00:00 2001 From: Tatsunori Uchino Date: Mon, 15 Jun 2026 00:25:31 +0900 Subject: [PATCH] Improve GHSA-q7cg-457f-vx79 --- .../2026/06/GHSA-q7cg-457f-vx79/GHSA-q7cg-457f-vx79.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2026/06/GHSA-q7cg-457f-vx79/GHSA-q7cg-457f-vx79.json b/advisories/github-reviewed/2026/06/GHSA-q7cg-457f-vx79/GHSA-q7cg-457f-vx79.json index 6b64c54e5f31b..b641332f43d73 100644 --- a/advisories/github-reviewed/2026/06/GHSA-q7cg-457f-vx79/GHSA-q7cg-457f-vx79.json +++ b/advisories/github-reviewed/2026/06/GHSA-q7cg-457f-vx79/GHSA-q7cg-457f-vx79.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-q7cg-457f-vx79", - "modified": "2026-06-12T19:28:27Z", + "modified": "2026-06-12T19:28:28Z", "published": "2026-06-11T13:27:32Z", "aliases": [ "CVE-2026-48038" ], "summary": "joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas", - "details": "### Impact\nDenial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas. \n\nThe blast radius depends on how the application invokes joi:\n- Highest impact: `validate()` called without `try/catch` in a request handler would cause an unhandled exception, potentially crashing the process.\n- Lower impact: `validateAsync()` or `validate()` inside a `try/catch`, the validation fails, but the error type is `RangeError` rather than a structured `ValidationError`, complicating error handling.\n\n### Patches\nUpgrade to version >= 18.2.1.\n\n### Workarounds\nTry/catch the validation to avoid uncaught exceptions.\n\n### References\n- Pull request: hapijs/joi#3113", + "details": "### Impact\nDenial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas. \n\nThe blast radius depends on how the application invokes joi:\n- Highest impact: `validate()` called without `try/catch` in a request handler would cause an unhandled exception, potentially crashing the process.\n- Lower impact: `validateAsync()` or `validate()` inside a `try/catch`, the validation fails, but the error type is `RangeError` rather than a structured `ValidationError`, complicating error handling.\n\n### Patches\nUpgrade to version >= 18.2.1 or >=17.13.4.\n\n### Workarounds\nTry/catch the validation to avoid uncaught exceptions.\n\n### References\n- Pull request: hapijs/joi#3113", "severity": [ { "type": "CVSS_V3",