Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Notes for v17.8.3 and v18.0.1 Security Update #3916

hueniverse opened this Issue Jan 31, 2019 · 0 comments


None yet
1 participant
Copy link

hueniverse commented Jan 31, 2019


The security issue was initially reported by the Lob engineering team to @Marsup as part of a joi security report. The Lob team reported the issue privately and responsibly with a proposed fix and tests to reproduce the issue. We are very grateful to them for the way it was reported and the extra mile in working with us to better understand it.

Triage was performed by @Marsup, @nlf, and @hueniverse.

The bourne module name was generously contributed by @andrew8088. The code was reviewed by @nlf and @mcollina. Benchmarking code was added by @mcollina.


A severe security threat has been identified related to prototype poisoning. The issue itself is not a bug in hapi but in the way JSON.parse() and Object.assign() (or similar local implementations) interact with each other.

> const a = '{"__proto__":{ "b":5}}';
'{"__proto__":{ "b":5}}'

> const b = JSON.parse(a);
{ __proto__: { b: 5 } }

> b.b;

> const c = Object.assign({}, b);

> c.b

Specifically for hapi, if you manipulate request.payload in onCredentials or onPostAuth prior to validation, joi may fail to identify invalid user input as well as leak prototype methods into your runtime environment. This could result in a catastrophic outcome.

Because of the nature of this issue, we cannot pin it to any specific module. The threat itself comes from your own code and how you interact with incoming payload parsed with JSON.parse() (by hapi or manually). The security patches (for hapi v16, v17, and v18) address this by blocking potential threats at the source where the payload is processed.

However, even this protection is limited to content processed by hapi. If you allow payload data to stream through, you might still have to deal with this issue yourself.

In addition, query string processing may also suffer from this if you use a custom module for converting incoming query strings into objects. If you use node’s query string parser (used by hapi) or the QS module, you are safe.

Next Steps

To address this thread, a new module bourne is now available which provides a drop-in replacement for JSON.parse(). If you call JSON.parse() on any external or untrusted data source, consider switching to this new module.

If you use onCredentials or onPostAuth in your code, or if you use the base64json cookie encoding format, review your handling of request.payload and request.state objects to ensure your current (pre-patched) code is not at risk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.