N/A

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

N/A

访问控制不恰当

Hapi 安全漏洞

Hapi是一款用于Node.js的服务器框架。该框架支持输入验证、缓存和身份验证等。 Hapi 11.0.0之前版本中存在安全漏洞，该漏洞源于程序没有正确的实现CORS。攻击者可利用该漏洞可能执行跨源操作。

N/A

N/A