Sign In

CVE-2026-48038

ADVISORY - github

Summary

Impact

Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.

The blast radius depends on how the application invokes joi:

  • Highest impact: validate() called without try/catch in a request handler would cause an unhandled exception, potentially crashing the process.
  • Lower impact: validateAsync() or validate() inside a try/catch, the validation fails, but the error type is RangeError rather than a structured ValidationError, complicating error handling.

Patches

Upgrade to version >= 18.2.1.

Workarounds

Try/catch the validation to avoid uncaught exceptions.

References

  • Pull request: hapijs/joi#3113
EPSS Score: 0.00039 (0.121)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-248

Uncaught Exception

CWE-400

Uncontrolled Resource Consumption

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in