CVE-2017-16013

hapi is a web and services application framework. When hapi = 15.0.0 = 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached...

CVE-2017-16013

The CVE-2017-16013 entry concerns the hapi web framework for Node.js. Affected versions are 15.0.0 through 16.1.0, where receiving a malformed accept-encoding header can trigger an uncaught exception, causing the hapi process to crash or the client connection to hang until timeout. This has been ...

CVE-2017-16025

Summary : The vulnerability affects the Nes WebSocket extension for hapi. Versions up to and including 6.4.0 are susceptible to a denial-of-service when websocket authentication uses a cookie and an invalid cookie is submitted during the upgrade request, causing the node process to error/terminat...

CVE-2017-16013

hapi is a web and services application framework. When hapi = 15.0.0 = 16.1.0 encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached...

CVE-2017-16025

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket...

CVE-2016-10543

call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules...

Design/Logic Flaw

call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules...

Design/Logic Flaw

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GE...

CVE-2015-9236

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GE...

CVE-2016-10543

call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules...

CVE-2015-9236

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GE...

CVE-2015-9236

CVE-2015-9236 concerns Hapi (Node.js framework) versions

Authentication flaw

When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication...

Design/Logic Flaw

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions like origin, a higher level config that included security restrictions like origin would have those restrictions...

Design/Logic Flaw

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out default node timeout is 2...

CVE-2015-9241

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out default node timeout is 2...

CVE-2015-9243

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions like origin, a higher level config that included security restrictions like origin would have those restrictions...

CVE-2016-10525

When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication...

CVE-2016-10525

When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication...

CVE-2016-10525

Affects hapi-auth-jwt2 prior to 5.1.2: in try authentication mode, an authentication bypass vulnerability exists, enabling bypass of auth checks. Impact described as complete bypass with high severity; fix is to upgrade to 5.1.2 or later. Documents from GHSA and npm advisory confirm vulnerability...