Description
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site that is visited by an application consumer.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://nodesecurity.io/advisories/crumb_cors_token_disclosure
Patch x_refsource_confirm
https://github.com/hapijs/crumb/commit/5e6d4f5c81677fe9e362837ffd4a02394303db3c
Scores
EPSS
0.0137
EPSS Percentile
68.5%
Details
CWE
CWE-284
Status
published
Products (2)
npm/crumb
0 - 3.0.0npm
sideway/hapi_crumb
< 2.2.0
Published
Dec 25, 2014
Tracked Since
Feb 18, 2026