NodeJS/hapi/11.1.0
HTTP Server framework
https://www.npmjs.com/package/hapi
BSD-3-Clause
5 Security Vulnerabilities
Denial of Service in hapi
All Versions of hapi
are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.
Recommendation
This package is deprecated and is now maintained as @hapi/hapi
. Please update your dependencies to use @hapi/hapi
.
Unsafe Merging of CORS Configuration Conflict in hapi
Versions of hapi
prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended.
Recommendation
Update hapi to version 11.1.4 or later.
Denial of Service in hapi
- https://nvd.nist.gov/vuln/detail/CVE-2015-9241
- https://github.com/advisories/GHSA-rc8h-3fv6-pxv8
- https://github.com/jfhbrook/node-ecstatic/pull/179
- https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580
- https://nodesecurity.io/advisories/64
- https://www.npmjs.com/advisories/63
- https://nodesecurity.io/advisories/63
Versions of hapi
prior to 11.1.3 are affected by a denial of service vulnerability.
The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers.
This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).
Recommendation
Update to v11.1.3 or later
Denial of service - Potential socket exhaustion
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).
Special thanks to James Halliday for bringing this exception pattern to our attention via the ecstatic advisory which lead to identifying this.
Route level CORS config overrides connection level defaults
When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *
).
295 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.12.0 | BSD | 9 | 2013-10-01 - 19:05 | over 10 years |
1.11.1 | BSD | 9 | 2013-09-18 - 00:40 | over 10 years |
1.11.0 | BSD | 9 | 2013-09-16 - 21:10 | over 10 years |
1.10.0 | BSD | 9 | 2013-09-09 - 22:18 | over 10 years |
1.9.7 | BSD | 9 | 2013-09-04 - 18:06 | over 10 years |
1.9.6 | BSD | 9 | 2013-08-29 - 20:25 | over 10 years |
1.9.5 | BSD | 9 | 2013-08-28 - 23:51 | over 10 years |
1.9.4 | BSD | 9 | 2013-08-15 - 20:56 | over 10 years |
1.9.3 | BSD | 9 | 2013-08-15 - 20:16 | over 10 years |
1.9.2 | BSD | 9 | 2013-08-15 - 19:17 | over 10 years |
1.9.1 | BSD | 9 | 2013-08-15 - 18:38 | over 10 years |
1.9.0 | BSD | 9 | 2013-07-23 - 00:34 | almost 11 years |
1.8.3 | BSD | 9 | 2013-07-15 - 20:41 | almost 11 years |
1.8.2 | BSD | 9 | 2013-06-26 - 14:35 | almost 11 years |
1.8.1 | BSD | 9 | 2013-06-17 - 20:50 | almost 11 years |
1.8.0 | BSD | 9 | 2013-06-13 - 18:12 | almost 11 years |
1.7.3 | BSD | 9 | 2013-06-07 - 22:18 | almost 11 years |
1.7.2 | BSD | 9 | 2013-06-04 - 21:25 | almost 11 years |
1.7.1 | BSD | 9 | 2013-06-04 - 16:39 | almost 11 years |
1.7.0 | BSD | 9 | 2013-06-04 - 06:57 | almost 11 years |
1.6.2 | BSD | 9 | 2013-05-31 - 04:45 | almost 11 years |
1.6.1 | BSD | 9 | 2013-05-30 - 19:51 | almost 11 years |
1.6.0 | BSD | 9 | 2013-05-29 - 17:54 | almost 11 years |
1.5.0 | BSD | 9 | 2013-05-27 - 23:00 | almost 11 years |
1.4.0 | BSD | 9 | 2013-05-25 - 16:06 | almost 11 years |
1.3.0 | BSD | 9 | 2013-05-23 - 07:21 | almost 11 years |
1.2.0 | BSD | 9 | 2013-05-14 - 19:00 | about 11 years |
1.1.0 | BSD | 9 | 2013-05-10 - 16:11 | about 11 years |
1.0.3 | BSD | 9 | 2013-05-06 - 18:51 | about 11 years |
1.0.2 | BSD | 9 | 2013-05-03 - 07:26 | about 11 years |
1.0.1 | BSD | 9 | 2013-05-02 - 22:32 | about 11 years |
1.0.0 | BSD | 9 | 2013-04-30 - 20:22 | about 11 years |
0.16.0 | BSD | 9 | 2013-04-03 - 07:46 | about 11 years |
0.15.9 | BSD | 9 | 2013-04-03 - 02:34 | about 11 years |
0.15.8 | BSD | 9 | 2013-03-29 - 20:45 | about 11 years |
0.15.7 | BSD | 9 | 2013-03-28 - 02:14 | about 11 years |
0.15.6 | BSD | 9 | 2013-03-19 - 05:26 | about 11 years |
0.15.5 | BSD | 9 | 2013-03-18 - 21:03 | about 11 years |
0.15.4 | BSD | 9 | 2013-03-18 - 20:13 | about 11 years |
0.15.3 | BSD | 9 | 2013-03-15 - 21:57 | about 11 years |
0.15.2 | BSD | 9 | 2013-03-14 - 05:18 | about 11 years |
0.15.1 | BSD | 9 | 2013-03-13 - 06:14 | about 11 years |
0.15.0 | BSD | 9 | 2013-03-09 - 01:30 | about 11 years |
0.14.2 | BSD | 9 | 2013-02-26 - 18:12 | about 11 years |
0.14.1 | BSD | 9 | 2013-02-20 - 23:20 | about 11 years |
0.14.0 | BSD | 9 | 2013-02-20 - 22:00 | about 11 years |
0.13.3 | BSD | 9 | 2013-02-20 - 21:09 | about 11 years |
0.13.2 | BSD | 9 | 2013-02-05 - 00:42 | over 11 years |
0.13.1 | BSD | 9 | 2013-02-04 - 21:30 | over 11 years |
0.13.0 | BSD | 9 | 2013-02-04 - 17:53 | over 11 years |
0.12.0 | BSD | 9 | 2013-01-31 - 18:10 | over 11 years |
0.11.4 | BSD | 9 | 2013-02-19 - 18:09 | about 11 years |
0.11.3 | BSD | 9 | 2013-01-14 - 16:10 | over 11 years |
0.11.2 | BSD | 9 | 2013-01-10 - 07:03 | over 11 years |
0.11.1 | BSD | 9 | 2013-01-10 - 02:42 | over 11 years |
0.11.0 | BSD | 9 | 2013-01-08 - 23:45 | over 11 years |
0.10.1 | BSD | 9 | 2012-12-20 - 17:38 | over 11 years |
0.10.0 | BSD | 9 | 2012-12-18 - 08:39 | over 11 years |
0.9.2 | BSD | 9 | 2012-12-04 - 20:28 | over 11 years |
0.9.1 | BSD | 9 | 2012-11-27 - 21:47 | over 11 years |
0.9.0 | BSD | 9 | 2012-11-19 - 22:24 | over 11 years |
0.8.4 | BSD | 9 | 2012-11-07 - 20:54 | over 11 years |
0.8.3 | BSD | 9 | 2012-11-05 - 23:23 | over 11 years |
0.8.2 | BSD | 9 | 2012-11-01 - 22:25 | over 11 years |
0.8.1 | BSD | 9 | 2012-10-31 - 18:45 | over 11 years |
0.8.0 | BSD | 9 | 2012-10-27 - 00:21 | over 11 years |
0.7.1 | BSD | 9 | 2012-10-01 - 20:58 | over 11 years |
0.7.0 | BSD | 9 | 2012-09-21 - 00:54 | over 11 years |
0.6.1 | BSD-3-Clause | 9 | 2012-09-06 - 17:12 | over 11 years |
0.6.0 | BSD-3-Clause | 9 | 2012-09-06 - 17:10 | over 11 years |
0.5.2 | BSD-3-Clause | 9 | 2012-09-12 - 17:05 | over 11 years |
0.5.1 | BSD-3-Clause | 9 | 2012-07-23 - 17:27 | almost 12 years |
0.5.1-b2 | BSD-3-Clause | 9 | 2014-01-11 - 03:18 | over 10 years |
0.5.1-c | BSD-3-Clause | 9 | 2014-01-11 - 03:18 | over 10 years |
0.5.1-a | BSD-3-Clause | 9 | 2014-01-11 - 03:18 | over 10 years |
0.5.1-b | BSD-3-Clause | 9 | 2014-01-11 - 03:18 | over 10 years |
0.5.0 | BSD-3-Clause | 9 | 2012-06-01 - 21:15 | almost 12 years |
0.4.4 | BSD-3-Clause | 9 | 2012-05-16 - 21:11 | almost 12 years |
0.4.3 | BSD-3-Clause | 9 | 2012-05-15 - 15:17 | almost 12 years |
0.4.2 | BSD-3-Clause | 9 | 2012-05-09 - 21:31 | about 12 years |
0.4.1 | BSD-3-Clause | 9 | 2012-05-09 - 18:57 | about 12 years |
0.4.0 | BSD-3-Clause | 9 | 2012-05-09 - 18:48 | about 12 years |
0.3.0 | BSD-3-Clause | 9 | 2012-04-25 - 20:45 | about 12 years |
0.2.1 | BSD-3-Clause | 9 | 2012-02-29 - 20:24 | about 12 years |
0.2.0 | BSD-3-Clause | 9 | 2012-02-22 - 21:34 | about 12 years |
0.1.3 | BSD-3-Clause | 9 | 2012-02-18 - 01:11 | about 12 years |
0.1.2 | BSD-3-Clause | 9 | 2012-02-15 - 21:17 | about 12 years |
0.1.1 | BSD-3-Clause | 9 | 2012-02-13 - 23:05 | about 12 years |
0.1.0 | BSD-3-Clause | 9 | 2012-02-09 - 16:22 | over 12 years |
0.0.6 | BSD-3-Clause | 9 | 2011-11-29 - 17:20 | over 12 years |
0.0.5 | BSD-3-Clause | 9 | 2011-11-23 - 01:12 | over 12 years |
0.0.4 | BSD-3-Clause | 9 | 2011-11-21 - 00:54 | over 12 years |
0.0.3 | BSD-3-Clause | 9 | 2011-11-20 - 20:51 | over 12 years |
0.0.2 | BSD-3-Clause | 9 | 2011-11-20 - 20:46 | over 12 years |
0.0.1 | BSD-3-Clause | 9 | 2011-08-06 - 00:41 | almost 13 years |