CVE-2016-10543

Name of the Vulnerable Software and Affected Versions call versions 2.0.1 through 3.0.1

Description The issue concerns a bug in the call HTTP router, primarily used by the hapi framework, where empty parameters are not validated. This could result in invalid input bypassing route validation rules. In a routing scheme such as "/api/{param}/{param2}/details", a triggering request path like "/api///" could exploit this issue.

Recommendations Update to version 3.0.2 or later. As a temporary workaround, consider restricting access to API endpoints with empty parameters to minimize the risk of exploitation.