CVE-2016-10543 — Route Validation Bypass in call

Description

Affected versions of `call` do not validate empty parameters, which may result in a bypass of route validation rules. ## Proof of Concept Routing Scheme: ``` /api/{param}/{param2}/details ``` Triggering Request Path: ``` /api/// ``` ## Recommendation Update to version 3.0.2 or later.

How to fix CVE-2016-10543

To remediate CVE-2016-10543, upgrade the affected package to a fixed version below.

npm/call—upgrade to 3.0.2 or later

Is CVE-2016-10543 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.1, < 3.0.2

References (4)

ADVISORYgithub.com/advisories/GHSA-84fv-prrc-5ggr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10543
WEBgithub.com/hapijs/hapi/issues/3228
WEBwww.npmjs.com/advisories/121