CVE-2016-10525

Affects hapi-auth-jwt2 prior to 5.1.2: in try authentication mode, an authentication bypass vulnerability exists, enabling bypass of auth checks. Impact described as complete bypass with high severity; fix is to upgrade to 5.1.2 or later. Documents from GHSA and npm advisory confirm vulnerability...

CVE-2016-10525

When attempting to allow authentication mode try in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication...

CVE-2015-9241

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out default node timeout is 2...

CVE-2015-9243

When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions like origin, a higher level config that included security restrictions like origin would have those restrictions...

CVE-2015-9243

CVE-2015-9243 affects the hapi Node.js framework prior to version 11.1.4, where merging server/connection/route-level CORS configurations could cause security restrictions (e.g., origin) to be overridden by less restrictive defaults (origin → *). This confluence creates weaker CORS controls than ...

GHSA-84FQ-6626-W5FG CORS Token Disclosure in crumb

When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make...

docpad-plugin-hapi (>=2.0.13 <=2.3.3), hapi-advisories (>=0.0.1 <=0.0.6) +7 more potentially affected by CVE-2014-3742 via hapi (>=2.0.0 <=2.1.2)

hapi NPM version =2.0.0, =2.0.13, =0.0.1, =0.9.2, =0.3.0, =0.14.0, =0.0.1, =0.0.1, =0.0.2, =0.0.1, =1.0.0 Source cves: CVE-2014-3742 Source advisory: OSV:GHSA-CQR7-78PJ-3G7J...

GHSA-CQR7-78PJ-3G7J File Descriptor Leak Can Cause DoS Vulnerability in hapi

Versions 2.0.x and 2.1.x of hapi are vulnerable to a denial of service attack via a file descriptor leak. When triggered repeatedly, this leak will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the process file...

File Descriptor Leak Can Cause DoS Vulnerability in hapi

Versions 2.0.x and 2.1.x of hapi are vulnerable to a denial of service attack via a file descriptor leak. When triggered repeatedly, this leak will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the process file...

Denial Of Service (DoS)

hapi is vulnerable to denial of service DoS attacks. A malicious user can send a malicious accept-encoding header to the system that causes the library to crash or the client to hang until the timeout period is reached...

Denial of Service via malformed accept-encoding header

Overview Affected versions of hapi will crash or lock the event loop when a malformed accept-encoding header is recieved. Recommendation Update to version 16.1.1 or later. References - Issue 3466 - GitHub Advisory...

Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution (CVE-2014-7205)

An un-authenticated code injection vulnerability exists in the Bassmaster Nodejs plugin for Hapi. The vulnerability is due to improper input validation within the batch endpoint. Successful exploitation could allow an attacker to execute arbitrary code...

Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution

require 'msf/core' class MetasploitModule 'Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution', 'Description' = %q This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and...

Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution Exploit

This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an attacker to dynamically execute JavaScript code on the server side using an eval. Note that the code uses a '\x2f' character...

Authentication Bypass

Overview Versions of hapi-auth-jwt2 prior to version 5.1.2 are affected by a complete authentication bypass vulnerability when in the try authentication mode. Recommendation Update to version 5.1.2 or later. References - Issue 111 - PR 112 - GitHub Advisory...

Unsafe Merging of CORS Configuration Conflict

Overview Versions of hapi prior to 11.1.4 are affected by a vulnerability that causes route-level CORS configuration to override connection-level or server-level CORS defaults. This may result in a situation where CORS permissions are less restrictive than intended. Recommendation Update hapi to...

Denial of Service

Overview Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability. The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers. This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500...

Incorrect handling of CORS preflight request headers

Overview Versions of hapi prior to 11.0.0 implement CORS incorrectly, allowing for configurations that at best return inconsistent headers, and at worst allow cross-origin activities that are expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is n...

CORS Token Disclosure

Overview When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly...

File Descriptor Leak Can Cause DoS Vulnerability

Overview Versions 2.0.x and 2.1.x of hapi are vulnerable to a denial of service attack via a file descriptor leak. When triggered repeatedly, this leak will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the proces...