CORS Token Disclosure

Module: crumb

Published: August 1st, 2014

Reported by: Marcus Stong



Vulnerable: <3.0.0
Patched: >=3.0.0


When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user.

A configuration and scenario where this would occur is unlikely, as most configurations will set CORS globally (where crumb is not used), or not at all.


Update to a version 3.0.0 or greater.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo