18.1.0
13 years ago
5 years ago
Package is deprecated
Known vulnerabilities in the hapi package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
hapi is a HTTP Server framework. Affected versions of this package are vulnerable to Denial of Service (DoS). The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services. How to fix Denial of Service (DoS)? There is no fixed version for | * |
Security restrictions (e.g. origin) get overridden by less restrictive defaults (i.e. all origins) in cases when server level, connection level or route level CORS configurations are combined. | <11.1.4 |
Sending a purposefully crafted invalid date in the The vulnerability is caused by the combination of two bugs.
First, the underlying V8 engine throws an exception when processing the specially crafted date, instead of stating the date is invalid as it should. Second, the Upgrading | <11.1.3 |
Hapi v11.0.0 and below have an incorrect implementation of the CORS protocol, and allow for configurations that, at best, return inconsistent headers and, at worst, cross-origin activities that are expected to be forbidden. How to fix CORS Bypass? Upgrade to a version 11.0.0 or greater. | <11.0.0 |
This description taken from the pull request provided by Patrick Kettner. tl:dr - someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains. Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is a fairly common solution currently being implemented by Google, Facebook, and GitHub. Source: Node Security Project How to fix Rosetta-flash jsonp vulnerability? Upgrade to the latest version of hapi.js | <6.1.0 |