NodeJS/hapi/10.5.0

HTTP Server framework

Repo Link: https://www.npmjs.com/package/hapi
License: BSD-3-Clause

7 Security Vulnerabilities

Denial of Service in hapi

Published date: 2020-09-03T15:48:00Z

Links:

All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Recommendation

This package is deprecated and is now maintained as @hapi/hapi. Please update your dependencies to use @hapi/hapi.

Affected versions: ["0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.0.6", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.2.0", "0.2.1", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.5.0", "0.5.1", "0.6.0", "0.6.1", "0.5.2", "0.7.0", "0.7.1", "0.8.0", "0.8.1", "0.8.2", "0.8.3", "0.8.4", "0.9.0", "0.9.1", "0.9.2", "0.10.0", "0.10.1", "0.11.0", "0.11.1", "0.11.2", "0.11.3", "0.12.0", "0.13.0", "0.13.1", "0.13.2", "0.11.4", "0.13.3", "0.14.0", "0.14.1", "0.14.2", "0.15.0", "0.15.1", "0.15.2", "0.15.3", "0.15.4", "0.15.5", "0.15.6", "0.15.7", "0.15.8", "0.15.9", "0.16.0", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.1.0", "1.2.0", "1.3.0", "1.4.0", "1.5.0", "1.6.0", "1.6.1", "1.6.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.10.0", "1.11.0", "1.11.1", "1.12.0", "1.13.0", "1.14.0", "1.15.0", "1.16.0", "1.16.1", "1.17.0", "1.18.0", "1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.20.0", "2.0.0-preview", "0.5.1-a", "0.5.1-b", "0.5.1-b2", "0.5.1-c", "2.0.0", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "3.0.0", "3.0.1", "3.0.2", "3.1.0", "4.0.0", "4.0.1", "4.0.2", "4.0.3", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "5.0.0", "5.1.0", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.2.0", "6.2.1", "6.2.2", "6.3.0", "6.4.0", "6.5.0", "6.5.1", "6.6.0", "6.7.0", "6.7.1", "6.8.0", "6.8.1", "6.9.0", "6.10.0", "6.11.0", "6.11.1", "7.0.0", "7.0.1", "7.1.0", "7.1.1", "7.2.0", "7.3.0", "7.4.0", "7.5.0", "7.5.1", "7.5.2", "8.0.0", "7.5.3", "8.1.0", "8.2.0", "8.3.0", "8.3.1", "8.4.0", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.6.0", "8.6.1", "8.8.0", "8.8.1", "9.0.0", "9.0.1", "9.0.2", "9.0.3", "9.0.4", "9.1.0", "9.2.0", "9.3.0", "9.3.1", "10.0.0", "10.0.1", "10.1.0", "10.2.1", "10.4.0", "10.4.1", "10.5.0", "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.1.0", "11.1.1", "11.1.2", "11.1.3", "11.1.4", "12.0.0", "12.0.1", "12.1.0", "9.5.1", "13.0.0", "13.1.0", "13.2.0", "13.2.1", "13.2.2", "13.3.0", "13.4.0", "13.4.1", "13.4.2", "13.5.0", "14.0.0", "13.5.3", "14.1.0", "14.2.0", "15.0.1", "15.0.2", "15.0.3", "15.1.0", "15.1.1", "15.2.0", "16.0.0", "16.0.1", "16.0.2", "16.0.3", "16.1.0", "16.1.1", "16.2.0", "16.3.0", "16.3.1", "16.4.0", "16.4.1", "16.4.2", "16.4.3", "16.5.0", "16.5.1", "16.5.2", "16.6.0", "16.6.1", "16.6.2", "17.0.0-rc1", "17.0.0-rc2", "17.0.0-rc3", "17.0.0-rc4", "17.0.0-rc6", "17.0.0-rc8", "17.0.0-rc9", "17.0.0-rc10", "17.0.0", "17.0.1", "17.0.2", "17.1.0", "17.1.1", "17.2.0", "17.2.1", "16.6.3", "17.2.2", "17.2.3", "17.3.0", "17.3.1", "17.4.0", "17.5.0", "17.5.1", "17.5.2", "17.5.3", "17.5.4", "17.5.5", "17.6.0", "17.6.1", "17.6.2", "17.6.3", "16.6.4", "17.6.4", "16.6.5", "17.7.0", "16.7.0", "17.8.0", "17.8.1", "18.0.0", "17.8.2", "17.8.3", "18.0.1", "17.8.4", "18.1.0", "17.8.5", "16.8.4"]

Secure versions: []

Unsafe Merging of CORS Configuration Conflict in hapi

Published date: 2020-09-01T15:20:00Z

CVE: CVE-2015-9243

Links:

Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.

Recommendation

Update hapi to version 11.1.4 or later.

Secure versions: []

Denial of Service in hapi

Published date: 2018-06-07T19:43:15Z

CVE: CVE-2015-9241

Links:

Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability.

The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers.

This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Recommendation

Update to v11.1.3 or later

Secure versions: []

Incorrect handling of CORS preflight request headers in hapi

Published date: 2018-06-07T19:43:25Z

CVE: CVE-2015-9236

Links:

Versions of hapi prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden.

If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

Recommendation

Update to version 11.0.0 or later.

Secure versions: []

Incorrect handling of CORS preflight request headers

Published date: 2015-10-20

CVSS Score: 5.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Coordinating vendor: ^Lift Security

Links:

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. [1]

'If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.' [2]

Secure versions: []

Recommendation: Updated to hapi version 11.0.0 or greater

Denial of service - Potential socket exhaustion

Published date: 2015-12-23

CVSS Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Coordinating vendor: ^Lift Security

Links:

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Special thanks to James Halliday for bringing this exception pattern to our attention via the ecstatic advisory which lead to identifying this.

Secure versions: []

Recommendation: Upgrade to hapi v11.1.3 or greater.

Route level CORS config overrides connection level defaults

Published date: 2015-12-28

CVSS Score: 6.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Coordinating vendor: ^Lift Security

Links:

https://github.com/hapijs/hapi/issues/2980

When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

Secure versions: []

Recommendation: You should install hapi v11.1.4 or newer if you combine server level, connection level, or route level CORS configuration.

295 Other Versions

Version	License	Security	Released
18.1.0	BSD-3-Clause	1	2019-02-04 - 21:52	about 5 years
18.0.1	BSD-3-Clause	1	2019-01-31 - 20:14	about 5 years
18.0.0	BSD-3-Clause	1	2019-01-18 - 20:07	over 5 years
17.8.5	BSD-3-Clause	1	2019-03-19 - 01:21	about 5 years
17.8.4	BSD-3-Clause	1	2019-02-04 - 21:33	about 5 years
17.8.3	BSD-3-Clause	1	2019-01-31 - 20:11	about 5 years
17.8.2	BSD-3-Clause	1	2019-01-31 - 20:02	about 5 years
17.8.1	BSD-3-Clause	1	2018-11-23 - 04:19	over 5 years
17.8.0	BSD-3-Clause	1	2018-11-23 - 03:11	over 5 years
17.7.0	BSD-3-Clause	1	2018-11-06 - 00:50	over 5 years
17.6.4	BSD-3-Clause	1	2018-11-03 - 04:32	over 5 years
17.6.3	BSD-3-Clause	1	2018-11-02 - 17:56	over 5 years
17.6.2	BSD-3-Clause	1	2018-11-01 - 22:31	over 5 years
17.6.1	BSD-3-Clause	1	2018-11-01 - 22:26	over 5 years
17.6.0	BSD-3-Clause	1	2018-09-25 - 07:55	over 5 years
17.5.5	BSD-3-Clause	1	2018-09-23 - 06:01	over 5 years
17.5.4	BSD-3-Clause	1	2018-08-28 - 07:46	over 5 years
17.5.3	BSD-3-Clause	1	2018-08-02 - 00:17	over 5 years
17.5.2	BSD-3-Clause	1	2018-06-24 - 04:17	almost 6 years
17.5.1	BSD-3-Clause	1	2018-05-30 - 15:18	almost 6 years
17.5.0	BSD-3-Clause	1	2018-05-21 - 17:59	almost 6 years
17.4.0	BSD-3-Clause	1	2018-04-29 - 00:44	about 6 years
17.3.1	BSD-3-Clause	1	2018-04-02 - 19:18	about 6 years
17.3.0	BSD-3-Clause	1	2018-03-31 - 00:33	about 6 years
17.2.3	BSD-3-Clause	1	2018-03-16 - 05:38	about 6 years
17.2.2	BSD-3-Clause	1	2018-03-07 - 09:17	about 6 years
17.2.1	BSD-3-Clause	1	2018-03-01 - 09:45	about 6 years
17.2.0	BSD-3-Clause	1	2017-12-20 - 06:31	over 6 years
17.1.1	BSD-3-Clause	1	2017-11-23 - 19:08	over 6 years
17.1.0	BSD-3-Clause	1	2017-11-23 - 09:46	over 6 years
17.0.2	BSD-3-Clause	1	2017-11-21 - 07:25	over 6 years
17.0.1	BSD-3-Clause	1	2017-11-05 - 08:55	over 6 years
17.0.0	BSD-3-Clause	1	2017-11-03 - 22:30	over 6 years
17.0.0-rc10	BSD-3-Clause	1	2017-11-03 - 09:52	over 6 years
17.0.0-rc9	BSD-3-Clause	1	2017-10-22 - 08:56	over 6 years
17.0.0-rc8	BSD-3-Clause	1	2017-10-18 - 09:30	over 6 years
17.0.0-rc6	BSD-3-Clause	1	2017-10-07 - 09:42	over 6 years
17.0.0-rc4	BSD-3-Clause	1	2017-10-06 - 23:19	over 6 years
17.0.0-rc3	BSD-3-Clause	1	2017-10-06 - 09:13	over 6 years
17.0.0-rc2	BSD-3-Clause	1	2017-10-02 - 20:11	over 6 years
17.0.0-rc1	BSD-3-Clause	1	2017-09-28 - 19:24	over 6 years
16.8.4	SEE LICENSE IN LICENSE.md	1	2024-01-06 - 10:28	4 months
16.7.0	BSD-3-Clause	1	2018-11-06 - 03:27	over 5 years
16.6.5	BSD-3-Clause	1	2018-11-05 - 22:47	over 5 years
16.6.4	BSD-3-Clause	1	2018-11-02 - 21:52	over 5 years
16.6.3	BSD-3-Clause	1	2018-03-01 - 09:54	about 6 years
16.6.2	BSD-3-Clause	1	2017-09-25 - 20:37	over 6 years
16.6.1	BSD-3-Clause	1	2017-09-24 - 17:34	over 6 years
16.6.0	BSD-3-Clause	1	2017-09-12 - 19:36	over 6 years
16.5.2	BSD-3-Clause	1	2017-08-04 - 05:01	over 6 years
16.5.1	BSD-3-Clause	1	2017-08-04 - 00:11	over 6 years
16.5.0	BSD-3-Clause	1	2017-07-20 - 08:38	almost 7 years
16.4.3	BSD-3-Clause	1	2017-06-09 - 18:33	almost 7 years
16.4.2	BSD-3-Clause	1	2017-06-08 - 07:06	almost 7 years
16.4.1	BSD-3-Clause	1	2017-06-05 - 17:27	almost 7 years
16.4.0	BSD-3-Clause	1	2017-06-05 - 08:13	almost 7 years
16.3.1	BSD-3-Clause	1	2017-06-05 - 03:22	almost 7 years
16.3.0	BSD-3-Clause	1	2017-05-30 - 20:47	almost 7 years
16.2.0	BSD-3-Clause	1	2017-05-29 - 09:41	almost 7 years
16.1.1	BSD-3-Clause	1	2017-03-31 - 20:13	about 7 years
16.1.0	BSD-3-Clause	3	2016-12-29 - 22:03	over 7 years
16.0.3	BSD-3-Clause	3	2016-12-29 - 08:21	over 7 years
16.0.2	BSD-3-Clause	3	2016-12-19 - 08:38	over 7 years
16.0.1	BSD-3-Clause	3	2016-12-01 - 19:03	over 7 years
16.0.0	BSD-3-Clause	3	2016-11-30 - 00:40	over 7 years
15.2.0	BSD-3-Clause	3	2016-10-20 - 17:13	over 7 years
15.1.1	BSD-3-Clause	3	2016-09-27 - 20:58	over 7 years
15.1.0	BSD-3-Clause	3	2016-09-27 - 00:02	over 7 years
15.0.3	BSD-3-Clause	3	2016-09-01 - 00:07	over 7 years
15.0.2	BSD-3-Clause	3	2016-08-28 - 21:48	over 7 years
15.0.1	BSD-3-Clause	3	2016-08-26 - 23:44	over 7 years
14.2.0	BSD-3-Clause	1	2016-08-13 - 20:38	over 7 years
14.1.0	BSD-3-Clause	1	2016-08-01 - 19:28	over 7 years
14.0.0	BSD-3-Clause	1	2016-07-29 - 18:28	over 7 years
13.5.3	BSD-3-Clause	1	2016-07-29 - 18:57	over 7 years
13.5.0	BSD-3-Clause	1	2016-07-06 - 03:56	almost 8 years
13.4.2	BSD-3-Clause	1	2016-07-04 - 04:31	almost 8 years
13.4.1	BSD-3-Clause	1	2016-05-21 - 08:11	almost 8 years
13.4.0	BSD-3-Clause	1	2016-05-07 - 21:32	almost 8 years
13.3.0	BSD-3-Clause	1	2016-04-02 - 17:22	about 8 years
13.2.2	BSD-3-Clause	1	2016-03-25 - 16:50	about 8 years
13.2.1	BSD-3-Clause	1	2016-03-11 - 06:11	about 8 years
13.2.0	BSD-3-Clause	1	2016-03-11 - 06:07	about 8 years
13.1.0	BSD-3-Clause	1	2016-03-10 - 01:50	about 8 years
13.0.0	BSD-3-Clause	1	2016-02-01 - 08:16	about 8 years
12.1.0	BSD-3-Clause	1	2016-01-09 - 22:38	over 8 years
12.0.1	BSD-3-Clause	1	2016-01-06 - 19:32	over 8 years
12.0.0	BSD-3-Clause	1	2016-01-04 - 23:10	over 8 years
11.1.4	BSD-3-Clause	1	2015-12-27 - 16:15	over 8 years
11.1.3	BSD-3-Clause	3	2015-12-23 - 21:52	over 8 years
11.1.2	BSD-3-Clause	5	2015-11-21 - 22:30	over 8 years
11.1.1	BSD-3-Clause	5	2015-11-14 - 17:39	over 8 years
11.1.0	BSD-3-Clause	5	2015-11-05 - 08:51	over 8 years
11.0.5	BSD-3-Clause	5	2015-11-03 - 20:53	over 8 years
11.0.4	BSD-3-Clause	5	2015-11-03 - 08:14	over 8 years
11.0.3	BSD-3-Clause	5	2015-10-30 - 06:09	over 8 years
11.0.2	BSD-3-Clause	5	2015-10-21 - 15:42	over 8 years
11.0.1	BSD-3-Clause	5	2015-10-20 - 04:47	over 8 years
11.0.0	BSD-3-Clause	5	2015-10-16 - 19:30	over 8 years
10.5.0	BSD-3-Clause	7	2015-10-15 - 16:00	over 8 years