CVE-2026-48049 in inertinfo

Summary

by MITRE • 07/17/2026

@hapi/inert provides static file and directory handlers for hapi.js. From 4.0.0 to 7.1.0, @hapi/inert serves static files from a directory configured with path in the directory or file handlers or relativeTo for h.file(), with confinement enforced by the confine option, but the confinement check compared the resolved absolute path against the confine directory using a raw string-prefix test, so a sibling directory such as /app/static-secret next to /app/static was incorrectly accepted and could allow an unauthenticated remote attacker to read files via /..%2fstatic-secret/secret.txt. This issue is fixed in version 7.1.1.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in @hapi/inert affects versions 4.0.0 through 7.1.0 and represents a directory traversal security flaw that undermines the intended file access controls. This issue specifically impacts the static file and directory handlers within the hapi.js framework where developers configure path settings for serving content. The security mechanism relies on a confine option to restrict file access to specific directories, but the implementation contains a critical flaw in how it validates these boundaries. The vulnerability stems from a simplistic string-prefix comparison approach that fails to properly resolve and validate absolute file paths against the designated confinement directory.

The technical exploitation occurs through carefully crafted URL sequences that leverage URL encoding to bypass the flawed validation logic. When an attacker constructs a path such as /..%2fstatic-secret/secret.txt, the system incorrectly accepts this request because the raw string comparison does not account for proper path resolution and normalization. The flaw allows an unauthenticated remote attacker to access files in sibling directories that should be restricted by the confine option. This represents a classic directory traversal vulnerability where the security boundary checking mechanism is insufficiently robust against crafted input sequences.

The operational impact of this vulnerability extends beyond simple file access, as it could enable attackers to read sensitive configuration files, credentials, or other confidential data stored in adjacent directories. The flaw affects both directory and file handlers within the framework, making it particularly dangerous since it can be exploited through multiple entry points. Organizations using affected versions of @hapi/inert are exposed to unauthorized data access that could lead to data breaches, information disclosure, and potential further exploitation opportunities. This vulnerability directly relates to CWE-22 Directory Traversal and aligns with ATT&CK technique T1083 File and Directory Discovery, as it allows adversaries to enumerate and access restricted file system locations.

The fix implemented in version 7.1.1 addresses the core validation issue by replacing the raw string-prefix test with proper path resolution and comparison mechanisms. This enhancement ensures that absolute paths are correctly normalized and validated against the confinement directory, preventing the exploitation of the traversal logic. The remediation follows security best practices for path handling and demonstrates the importance of proper input validation in security-critical components. Organizations should immediately upgrade to version 7.1.1 or later to address this vulnerability, as the flaw represents a significant risk to applications relying on static file serving capabilities within the hapi.js framework. The incident underscores the necessity of robust path validation mechanisms and proper sandboxing techniques when implementing file access controls in web applications.

Responsible

GitHub M

Reservation

05/20/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!