hapi@1.6.0 vulnerabilities

HTTP Server framework

  • latest version

    18.1.0

  • first published

    13 years ago

  • latest version published

    5 years ago

  • deprecated

    Package is deprecated

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the hapi package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Denial of Service (DoS)

    hapi is a HTTP Server framework.

    Affected versions of this package are vulnerable to Denial of Service (DoS). The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

    How to fix Denial of Service (DoS)?

    There is no fixed version for hapi.

    *
    • M
    Potentially loose security restrictions

    Security restrictions (e.g. origin) get overridden by less restrictive defaults (i.e. all origins) in cases when server level, connection level or route level CORS configurations are combined.

    <11.1.4
    • H
    Denial of Service (DoS)

    Sending a purposefully crafted invalid date in the If-Modified-Since or Last-Modified header will cause the Hapi server to err but keep the socket open (the socket will time out after 2 minutes by default). This allows an attacker to quickly exhaust the sockets on the server, making it unavailable (a Denial of Service attack).

    The vulnerability is caused by the combination of two bugs. First, the underlying V8 engine throws an exception when processing the specially crafted date, instead of stating the date is invalid as it should. Second, the Hapi server does not handle the exception well, leading to the socket remaining open.

    Upgrading Hapi will address the second issue and thus fix the vulnerability.

    <11.1.3
    • L
    CORS Bypass

    Hapi v11.0.0 and below have an incorrect implementation of the CORS protocol, and allow for configurations that, at best, return inconsistent headers and, at worst, cross-origin activities that are expected to be forbidden.

    How to fix CORS Bypass?

    Upgrade to a version 11.0.0 or greater.

    <11.0.0
    • H
    Rosetta-flash jsonp vulnerability

    This description taken from the pull request provided by Patrick Kettner.

    tl:dr - someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains.

    Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is a fairly common solution currently being implemented by Google, Facebook, and GitHub.

    Source: Node Security Project

    How to fix Rosetta-flash jsonp vulnerability?

    Upgrade to the latest version of hapi.js

    <6.1.0