Vulnerable Library - joi-17.13.3.tgz
Library home page: https://registry.npmjs.org/joi/-/joi-17.13.3.tgz
Path to dependency file: /backend/package.json
Path to vulnerable library: /backend/node_modules/joi/package.json
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (joi version) |
Remediation Possible** |
| CVE-2026-48038 |
 Medium |
5.3 |
joi-17.13.3.tgz |
Direct |
joi - 18.2.1 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-48038
Vulnerable Library - joi-17.13.3.tgz
Library home page: https://registry.npmjs.org/joi/-/joi-17.13.3.tgz
Path to dependency file: /backend/package.json
Path to vulnerable library: /backend/node_modules/joi/package.json
Dependency Hierarchy:
- ❌ joi-17.13.3.tgz (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Impact Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas. The blast radius depends on how the application invokes joi: - Highest impact: "validate()" called without "try/catch" in a request handler would cause an unhandled exception, potentially crashing the process. - Lower impact: "validateAsync()" or "validate()" inside a "try/catch", the validation fails, but the error type is "RangeError" rather than a structured "ValidationError", complicating error handling. Patches Upgrade to version >= 18.2.1. Workarounds Try/catch the validation to avoid uncaught exceptions. Resources - Pull request: hapijs/joi#3113
Publish Date: 2026-06-11
URL: CVE-2026-48038
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q7cg-457f-vx79
Release Date: 2026-06-11
Fix Resolution: joi - 18.2.1
Step up your Open Source Security Game with Mend here
Library home page: https://registry.npmjs.org/joi/-/joi-17.13.3.tgz
Path to dependency file: /backend/package.json
Path to vulnerable library: /backend/node_modules/joi/package.json
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - joi-17.13.3.tgz
Library home page: https://registry.npmjs.org/joi/-/joi-17.13.3.tgz
Path to dependency file: /backend/package.json
Path to vulnerable library: /backend/node_modules/joi/package.json
Dependency Hierarchy:
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Impact Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas. The blast radius depends on how the application invokes joi: - Highest impact: "validate()" called without "try/catch" in a request handler would cause an unhandled exception, potentially crashing the process. - Lower impact: "validateAsync()" or "validate()" inside a "try/catch", the validation fails, but the error type is "RangeError" rather than a structured "ValidationError", complicating error handling. Patches Upgrade to version >= 18.2.1. Workarounds Try/catch the validation to avoid uncaught exceptions. Resources - Pull request: hapijs/joi#3113
Publish Date: 2026-06-11
URL: CVE-2026-48038
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q7cg-457f-vx79
Release Date: 2026-06-11
Fix Resolution: joi - 18.2.1
Step up your Open Source Security Game with Mend here