CVE-2015-9241

EPSS 0.35%

Denial of Service in hapi

Published: 6/7/2018Modified: 11/8/2023

Description

Versions of `hapi` prior to 11.1.3 are affected by a denial of service vulnerability. The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers. This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes). ## Recommendation Update to v11.1.3 or later

Affected packages (1)

npm/hapifrom 0, < 11.1.3

References (5)

ADVISORYhttps://github.com/advisories/GHSA-rc8h-3fv6-pxv8
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-9241
WEBhttps://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580
WEBhttps://github.com/jfhbrook/node-ecstatic/pull/179
WEBhttps://www.npmjs.com/advisories/63