Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.

Recommendation

Update hapi to version 11.1.4 or later.

References

• hapijs/hapi#2980
• https://www.npmjs.com/advisories/65
• https://nvd.nist.gov/vuln/detail/CVE-2015-9243