Vulnerability
@hapi/inert has a static-file confinement bypass via sibling-prefix path
### Impact `@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the resolved absolute path against the confine directory using a raw string-prefix test, so a sibling directory whose absolute path begins with the same characters as the confine directory (eg. `/app/static-secret` next to a served `/app/static`) was incorrectly accepted as confined. An unauthenticated remote attacker who knows or guesses such a sibling name can read any file inside it via a request like `/..%2fstatic-secret/secret.txt`, provided the file is readable by the server process. Only applications that happen to have a sibling directory sharing a string prefix with the served directory are exploitable; applications with no such sibling are unaffected. ### Patches Upgrade to 7.1.1. ### Workarounds For users who cannot upgrade immediately: ensure the directory served via inert has no sibling whose name starts with the same characters (for example, rename `static-secret/` to `secret/`, or move it to a different parent directory). ### Resources Pull Request: https://github.com/hapijs/inert/pull/176
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
Low exploitation likelihood — defer if no other signals fire.
No VEX statements published for CVE-2026-48049. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.
No exploitation, limited impact or prevalence