Bug 2499681 (CVE-2026-48038) - CVE-2026-48038 joi: joi: Denial of Service via uncaught RangeError on deeply nested input through recursive link() schemas
Summary: CVE-2026-48038 joi: joi: Denial of Service via uncaught RangeError on deeply ...
Keywords:
Status: NEW
Alias: CVE-2026-48038
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-13 14:36 UTC by OSIDB Bzimport
Modified: 2026-07-14 15:41 UTC (History)
22 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-13 14:36:59 UTC
joi is a data validation library for JavaScript. In versions prior to 17.13.4 and 18.0.0 through 18.2.0, deeply nested input validated against recursive link() schemas triggers an uncaught RangeError. When validate() is called without try/catch in a request handler, this causes an unhandled exception that can crash the process, leading to denial of service. With validateAsync() or validate() inside try/catch, the validation fails but returns a RangeError instead of a structured ValidationError. Fixed in joi 17.13.4 and 18.2.1.


Note You need to log in before you can comment on or make changes to this bug.