hapi@0.5.2 vulnerabilities

HTTP Server framework

Direct Vulnerabilities

Known vulnerabilities in the hapi package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Denial of Service (DoS)

hapi is a HTTP Server framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

How to fix Denial of Service (DoS)?

There is no fixed version for hapi.

*
  • M
Cross-site Scripting (XSS)

hapi is an HTTP Server framework. Affected versions of the package are vulnerable to Cross-site Scripting (XSS). They do not handle invalid payloads, allowing attackers craft malicious links or create a third party web page to inject code into the browser. The fix was introduced in version 0.16.0 by parsing the payload and verifying its validity.

How to fix Cross-site Scripting (XSS)?

Upgrade hapi to version 0.16.0 or higher, although later versions are also susceptible to vulnerabilities. Last known safe version is 11.1.4.

<0.16.0
  • M
Potentially loose security restrictions

Security restrictions (e.g. origin) get overridden by less restrictive defaults (i.e. all origins) in cases when server level, connection level or route level CORS configurations are combined.

<11.1.4
  • M
Potentially loose security restrictions

Security restrictions (e.g. origin) get overridden by less restrictive defaults (i.e. all origins) in cases when server level, connection level or route level CORS configurations are combined.

<11.1.4
  • H
Denial of Service (DoS)

Sending a purposefully crafted invalid date in the If-Modified-Since or Last-Modified header will cause the Hapi server to err but keep the socket open (the socket will time out after 2 minutes by default). This allows an attacker to quickly exhaust the sockets on the server, making it unavailable (a Denial of Service attack).

The vulnerability is caused by the combination of two bugs. First, the underlying V8 engine throws an exception when processing the specially crafted date, instead of stating the date is invalid as it should. Second, the Hapi server does not handle the exception well, leading to the socket remaining open.

Upgrading Hapi will address the second issue and thus fix the vulnerability.

<11.1.3
  • L
CORS Bypass

Hapi v11.0.0 and below have an incorrect implementation of the CORS protocol, and allow for configurations that, at best, return inconsistent headers and, at worst, cross-origin activities that are expected to be forbidden.

How to fix CORS Bypass?

Upgrade to a version 11.0.0 or greater.

<11.0.0
  • L
CORS Bypass

Hapi v11.0.0 and below have an incorrect implementation of the CORS protocol, and allow for configurations that, at best, return inconsistent headers and, at worst, cross-origin activities that are expected to be forbidden.

How to fix CORS Bypass?

Upgrade to a version 11.0.0 or greater.

<11.0.0
  • H
Rosetta-flash jsonp vulnerability

This description taken from the pull request provided by Patrick Kettner.

tl:dr - someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains.

Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is a fairly common solution currently being implemented by Google, Facebook, and GitHub.

Source: Node Security Project

How to fix Rosetta-flash jsonp vulnerability?

Upgrade to the latest version of hapi.js

<6.1.0