Hapi Node Module Security Vulnerabilities
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is...
7.5CVSS
7.4AI Score
0.001EPSS
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not...
5.3CVSS
5.2AI Score
0.001EPSS
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2...
7.5CVSS
7.5AI Score
0.003EPSS
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions...
5.9CVSS
5.6AI Score
0.001EPSS
When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass...
9.8CVSS
9.5AI Score
0.003EPSS