Skip to content

Denial of Service in hapi

High severity GitHub Reviewed Published Jun 7, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm hapi (npm)

Affected versions

< 11.1.3

Patched versions

11.1.3

Description

Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability.

The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers.

This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Recommendation

Update to v11.1.3 or later

References

Published to the GitHub Advisory Database Jun 7, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

Weaknesses

CVE ID

CVE-2015-9241

GHSA ID

GHSA-rc8h-3fv6-pxv8

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.