Denial of Service via malformed accept-encoding header in hapi

Affected versions of hapi will crash or lock the event loop when a malformed accept-encoding header is recieved. Recommendation Update to version 16.1.1 or later...

Insufficient Entropy in cryptiles

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits method does not provide sufficient entropy and its generates digits that are not evenly distributed. Recommendation Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptil...

GHSA-RQ8G-5PC5-WRHR Insufficient Entropy in cryptiles

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits method does not provide sufficient entropy and its generates digits that are not evenly distributed. Recommendation Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptil...

Timing Attack Through Insecure Password Comparison

hapi is vulnerable to timing attacks through constant time password comparison. The vulnerability exists due to the usage of !== to compare two password strings, allowing timing attacks to occur...

Hapi Denial of Service Vulnerability

Hapi is a server framework for Node.js. The framework supports input validation, caching, and authentication. A security vulnerability exists in Hapi versions 15.0.0 through 16.1.0. An attacker can exploit the vulnerability to cause hapi to crash or the client connection to hang...

Nes has an unspecified vulnerability

Nes is a WebSocket adapter plugin for hapi routing. A security vulnerability exists in Nes 6.4.0 and earlier versions. When websocket authentication is set to 'cookie', an attacker can exploit the vulnerability by submitting an invalid cookie to shut down the node process...

hapi node module security restriction vulnerability

The hapi node module is a server framework for Node.js. The framework supports input validation, caching, authentication and more. A security vulnerability exists in hapi node module versions prior to 11.1.4. An attacker can exploit the vulnerability to override a higher security restriction...

Unspecified vulnerability in hapi-auth-jwt2

hapi-auth-jwt2 is a module that supports authentication using JSON Web Tokens JWT in Hapi.js web applications. A security vulnerability exists in hapi-auth-jwt2 version 5.1.1. An attacker can exploit the vulnerability to bypass authentication...

hapi node module denial of service vulnerability

The hapi node module is a server framework for Node.js. The framework supports input validation, caching, authentication and more. A security vulnerability exists in hapi node module versions prior to 11.1.3. An attacker exploits the vulnerability to cause a denial of service socket exhaustion wi...

@kmanion/senpai (=1.0.0), briskly (>=0.1.0-pre <=0.1.1-pre) +37 more potentially affected by CVE-2015-9236 via hapi (>=0.14.2 <=10.5.0)

hapi NPM version =0.14.2, =0.1.0-pre, =0.0.2, =0.0.7, =0.1.0, =0.1.0, =0.0.1, =0.0.4 - hapi-auth-passthrough =1.0.0 - hapi-exit =0.0.2 - hapi-mongoose-connect =1.0.0 - hapi-register-example =1.0.1 - hapi-sass-example =0.1.0 and more Source cves: CVE-2015-9236 Source advisory: OSV:GHSA-VWRF-R5R4-7...

Incorrect handling of CORS preflight request headers in hapi

Versions of hapi prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, t...

GHSA-VWRF-R5R4-7775 Incorrect handling of CORS preflight request headers in hapi

Versions of hapi prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, t...

@kmanion/senpai (=1.0.0), be-more-hapi (=1.0.0-rc.1.1) +39 more potentially affected by CVE-2015-9241 via hapi (>=0.14.2 <=11.1.2)

hapi NPM version =0.14.2, =0.1.0-pre, =0.0.2, =0.0.7, =0.1.0, =0.1.0, =0.0.1, =0.0.4 - hapi-auth-passthrough =1.0.0 - hapi-exit =0.0.2 - hapi-mongoose-connect =1.0.0 - hapi-register-example =1.0.1 and more Source cves: CVE-2015-9241 Source advisory: OSV:GHSA-RC8H-3FV6-PXV8...

Denial of Service in hapi

Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability. The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers. This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back...

Hapi CORS Rewrite Vulnerability

Hapi is a server framework for Node.js. The framework supports input validation, caching, and authentication. A security vulnerability exists in Hapi versions prior to 11.0.0, which stems from the program failing to implement CORS correctly.An attacker can exploit this vulnerability to potentiall...

CVE-2017-16025

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket...

CVE-2017-16025

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket...

Design/Logic Flaw

hapi is a web and services application framework. When hapi = 15.0.0 = 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached...

Design/Logic Flaw

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket...

CVE-2017-16013

hapi is a web and services application framework. When hapi = 15.0.0 = 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached...