CVE-2014-7193

Published: Dec 25, 2014Modified: May 6, 2026

5.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability: 8.6 / Impact: 4.9

Source: NVD

Description

The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site that is visited by an application consumer.

Affected (1)

Products: Sideway: Hapi Crumb

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sideway Hapi Crumb	Up to 2.2.0

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/hapijs/crumb/commit/5e6d4f5c81677fe9e362837ffd4a02394303db3c

Source: cve@mitre.org

https://nodesecurity.io/advisories/crumb_cors_token_disclosure

Source: cve@mitre.org

Vendor Advisory

https://github.com/hapijs/crumb/commit/5e6d4f5c81677fe9e362837ffd4a02394303db3c

Source: af854a3a-2127-422b-91ae-364da2661108

https://nodesecurity.io/advisories/crumb_cors_token_disclosure

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.