CVE-2026-48038: CWE-248: Uncaught Exception in hapijs joi
A vulnerability in the hapijs joi JavaScript data validation library allows denial of service via unhandled exceptions triggered by deeply nested recursive link() schemas. Versions prior to 17.13.4 and 18.2.1 can crash the process when validate() is called without try/catch on malicious input. This issue is fixed in versions 17.13.4 and 18.2.1.
AI Analysis
Technical Summary
The hapijs joi library, used for schema validation in JavaScript, contains a vulnerability (CVE-2026-48038) where deeply nested recursive link() schemas can cause an untrapped RangeError exception. When validate() is invoked without a try/catch block, this leads to an unhandled exception that can crash the application process, resulting in denial of service. Using validateAsync() or wrapping validate() in try/catch results in a RangeError but does not crash the process. The vulnerability affects versions prior to 17.13.4 and 18.2.1 and has been fixed in these versions.
Potential Impact
An attacker can cause a denial of service by sending specially crafted deeply nested JSON or object input that triggers an unhandled RangeError in vulnerable versions of joi. This results in the crashing of the application process, causing service disruption. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
This vulnerability is fixed in joi versions 17.13.4 and 18.2.1. Users should upgrade to these or later versions to remediate the issue. Until upgraded, ensure that calls to validate() are wrapped in try/catch blocks or use validateAsync() to avoid unhandled exceptions and process crashes.
CVE-2026-48038: CWE-248: Uncaught Exception in hapijs joi
Description
A vulnerability in the hapijs joi JavaScript data validation library allows denial of service via unhandled exceptions triggered by deeply nested recursive link() schemas. Versions prior to 17.13.4 and 18.2.1 can crash the process when validate() is called without try/catch on malicious input. This issue is fixed in versions 17.13.4 and 18.2.1.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The hapijs joi library, used for schema validation in JavaScript, contains a vulnerability (CVE-2026-48038) where deeply nested recursive link() schemas can cause an untrapped RangeError exception. When validate() is invoked without a try/catch block, this leads to an unhandled exception that can crash the application process, resulting in denial of service. Using validateAsync() or wrapping validate() in try/catch results in a RangeError but does not crash the process. The vulnerability affects versions prior to 17.13.4 and 18.2.1 and has been fixed in these versions.
Potential Impact
An attacker can cause a denial of service by sending specially crafted deeply nested JSON or object input that triggers an unhandled RangeError in vulnerable versions of joi. This results in the crashing of the application process, causing service disruption. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
This vulnerability is fixed in joi versions 17.13.4 and 18.2.1. Users should upgrade to these or later versions to remediate the issue. Until upgraded, ensure that calls to validate() are wrapped in try/catch blocks or use validateAsync() to avoid unhandled exceptions and process crashes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-20T18:15:53.577Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a568f2568715ace43148c4e
Added to database: 07/14/2026, 19:33:57 UTC
Last enriched: 07/14/2026, 20:08:47 UTC
Last updated: 07/15/2026, 02:12:55 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.