CVE-2017-16025

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket...

Design/Logic Flaw

hapi is a web and services application framework. When hapi = 15.0.0 = 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached...

Design/Logic Flaw

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket...

CVE-2017-16013

hapi is a web and services application framework. When hapi = 15.0.0 = 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached...

CVE-2017-16013

hapi is a web and services application framework. When hapi = 15.0.0 = 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached...

CVE-2017-16013

hapi is a web and services application framework. When hapi = 15.0.0 = 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached...

CVE-2017-16025

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket...

CVE-2017-16013

The CVE-2017-16013 entry concerns the hapi web framework for Node.js. Affected versions are 15.0.0 through 16.1.0, where receiving a malformed accept-encoding header can trigger an uncaught exception, causing the hapi process to crash or the client connection to hang until timeout. This has been ...

CVE-2017-16025

Summary : The vulnerability affects the Nes WebSocket extension for hapi. Versions up to and including 6.4.0 are susceptible to a denial-of-service when websocket authentication uses a cookie and an invalid cookie is submitted during the upgrade request, causing the node process to error/terminat...

Design/Logic Flaw

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GE...

CVE-2015-9236

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GE...

CVE-2015-9236

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GE...

CVE-2015-9236

CVE-2015-9236 concerns Hapi (Node.js framework) versions

Authentication flaw

When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication...

CVE-2016-10525

When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication...

CVE-2016-10525

When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication...

CVE-2016-10525

When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication...

CVE-2015-9241

Affected software: hapi node module (Node.js) prior to version 11.1.3. Root cause: certain inputs in If-Modified-Since or Last-Modified headers cause an 'illegal access' exception, leading hapi to keep the socket open instead of returning HTTP 500, effectively a denial of service. Impact: potenti...

CVE-2016-10525

Affects hapi-auth-jwt2 prior to 5.1.2: in try authentication mode, an authentication bypass vulnerability exists, enabling bypass of auth checks. Impact described as complete bypass with high severity; fix is to upgrade to 5.1.2 or later. Documents from GHSA and npm advisory confirm vulnerability...

CVE-2015-9243

CVE-2015-9243 affects the hapi Node.js framework prior to version 11.1.4, where merging server/connection/route-level CORS configurations could cause security restrictions (e.g., origin) to be overridden by less restrictive defaults (origin → *). This confluence creates weaker CORS controls than ...