hapi@11.0.3 vulnerabilities

HTTP Server framework

Direct Vulnerabilities

Known vulnerabilities in the hapi package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Denial of Service (DoS)

hapi is a HTTP Server framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

How to fix Denial of Service (DoS)?

There is no fixed version for hapi.

*
  • M
Potentially loose security restrictions

Security restrictions (e.g. origin) get overridden by less restrictive defaults (i.e. all origins) in cases when server level, connection level or route level CORS configurations are combined.

<11.1.4
  • M
Potentially loose security restrictions

Security restrictions (e.g. origin) get overridden by less restrictive defaults (i.e. all origins) in cases when server level, connection level or route level CORS configurations are combined.

<11.1.4
  • H
Denial of Service (DoS)

Sending a purposefully crafted invalid date in the If-Modified-Since or Last-Modified header will cause the Hapi server to err but keep the socket open (the socket will time out after 2 minutes by default). This allows an attacker to quickly exhaust the sockets on the server, making it unavailable (a Denial of Service attack).

The vulnerability is caused by the combination of two bugs. First, the underlying V8 engine throws an exception when processing the specially crafted date, instead of stating the date is invalid as it should. Second, the Hapi server does not handle the exception well, leading to the socket remaining open.

Upgrading Hapi will address the second issue and thus fix the vulnerability.

<11.1.3