Search criteria
8 vulnerabilities by hapijs
CVE-2023-25166 (GCVE-0-2023-25166)
Vulnerability from cvelistv5 – Published: 2023-02-08 19:28 – Updated: 2025-03-10 21:14
VLAI?
Summary
formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability.
Severity ?
5.5 (Medium)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:35.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hapijs/formula/security/advisories/GHSA-c2jc-4fpr-4vhg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hapijs/formula/security/advisories/GHSA-c2jc-4fpr-4vhg"
},
{
"name": "https://github.com/hapijs/formula/commit/9fbc20a02d75ae809c37a610a57802cd1b41b3fe",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/formula/commit/9fbc20a02d75ae809c37a610a57802cd1b41b3fe"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:12.667100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:14:39.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "formula",
"vendor": "hapijs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula\u0027s parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-08T19:28:29.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hapijs/formula/security/advisories/GHSA-c2jc-4fpr-4vhg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hapijs/formula/security/advisories/GHSA-c2jc-4fpr-4vhg"
},
{
"name": "https://github.com/hapijs/formula/commit/9fbc20a02d75ae809c37a610a57802cd1b41b3fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/formula/commit/9fbc20a02d75ae809c37a610a57802cd1b41b3fe"
}
],
"source": {
"advisory": "GHSA-c2jc-4fpr-4vhg",
"discovery": "UNKNOWN"
},
"title": "Regular Expression Denial of Service (ReDoS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25166",
"datePublished": "2023-02-08T19:28:29.314Z",
"dateReserved": "2023-02-03T16:59:18.246Z",
"dateUpdated": "2025-03-10T21:14:39.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36604 (GCVE-0-2020-36604)
Vulnerability from cvelistv5 – Published: 2022-09-23 05:28 – Updated: 2025-05-27 14:48
VLAI?
Summary
hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.
Severity ?
8.1 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.460Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/hoek/issues/352"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-HAPIHOEK-548452%29"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:47:45.364912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T14:48:14.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-23T05:28:11.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/hoek/issues/352"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-HAPIHOEK-548452%29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hapijs/hoek/issues/352",
"refsource": "MISC",
"url": "https://github.com/hapijs/hoek/issues/352"
},
{
"name": "https://security.snyk.io/vuln/SNYK-JS-HAPIHOEK-548452)",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-JS-HAPIHOEK-548452)"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36604",
"datePublished": "2022-09-23T05:28:11.000Z",
"dateReserved": "2022-09-23T00:00:00.000Z",
"dateUpdated": "2025-05-27T14:48:14.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16025 (GCVE-0-2017-16025)
Vulnerability from cvelistv5 – Published: 2018-06-04 19:00 – Updated: 2024-09-17 01:12
VLAI?
Summary
Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.
Severity ?
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | nes node module |
Affected:
<=6.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:06.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/331"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/nes/issues/171"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/nes/commit/249ba1755ed6977fbc208463c87364bf884ad655"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nes node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=6.4.0"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-04T18:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/331"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/nes/issues/171"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/nes/commit/249ba1755ed6977fbc208463c87364bf884ad655"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-16025",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nes node module",
"version": {
"version_data": [
{
"version_value": "\u003c=6.4.0"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/331",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/331"
},
{
"name": "https://github.com/hapijs/nes/issues/171",
"refsource": "MISC",
"url": "https://github.com/hapijs/nes/issues/171"
},
{
"name": "https://github.com/hapijs/nes/commit/249ba1755ed6977fbc208463c87364bf884ad655",
"refsource": "MISC",
"url": "https://github.com/hapijs/nes/commit/249ba1755ed6977fbc208463c87364bf884ad655"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-16025",
"datePublished": "2018-06-04T19:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-17T01:12:03.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16013 (GCVE-0-2017-16013)
Vulnerability from cvelistv5 – Published: 2018-06-04 19:00 – Updated: 2024-09-17 04:09
VLAI?
Summary
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.
Severity ?
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | hapi node module |
Affected:
>= 15.0.0 <= 16.1.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:06.658Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/335"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/hapi/issues/3466"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hapi node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003e= 15.0.0 \u003c= 16.1.0"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "hapi is a web and services application framework. When hapi \u003e= 15.0.0 \u003c= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-04T18:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/335"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/hapi/issues/3466"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-16013",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hapi node module",
"version": {
"version_data": [
{
"version_value": "\u003e= 15.0.0 \u003c= 16.1.0"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "hapi is a web and services application framework. When hapi \u003e= 15.0.0 \u003c= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/335",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/335"
},
{
"name": "https://github.com/hapijs/hapi/issues/3466",
"refsource": "MISC",
"url": "https://github.com/hapijs/hapi/issues/3466"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-16013",
"datePublished": "2018-06-04T19:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-17T04:09:41.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9236 (GCVE-0-2015-9236)
Vulnerability from cvelistv5 – Published: 2018-05-31 20:00 – Updated: 2024-09-17 04:15
VLAI?
Summary
Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control - Generic (CWE-284)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | hapi node module |
Affected:
<11.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:43:42.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/hapi/issues/2850"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/hapi/issues/2840"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hapi node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c11.0.0"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control - Generic (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-31T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/hapi/issues/2850"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/hapi/issues/2840"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/45"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2015-9236",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hapi node module",
"version": {
"version_data": [
{
"version_value": "\u003c11.0.0"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control - Generic (CWE-284)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hapijs/hapi/issues/2850",
"refsource": "MISC",
"url": "https://github.com/hapijs/hapi/issues/2850"
},
{
"name": "https://github.com/hapijs/hapi/issues/2840",
"refsource": "MISC",
"url": "https://github.com/hapijs/hapi/issues/2840"
},
{
"name": "https://nodesecurity.io/advisories/45",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/45"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2015-9236",
"datePublished": "2018-05-31T20:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-17T04:15:13.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9241 (GCVE-0-2015-9241)
Vulnerability from cvelistv5 – Published: 2018-05-29 20:00 – Updated: 2024-09-16 17:03
VLAI?
Summary
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes).
Severity ?
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | hapi node module |
Affected:
<11.1.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:43:41.875Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jfhbrook/node-ecstatic/pull/179"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/63"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hapi node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c11.1.3"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Certain input passed into the If-Modified-Since or Last-Modified headers will cause an \u0027illegal access\u0027 exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-29T19:57:02",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jfhbrook/node-ecstatic/pull/179"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/63"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2015-9241",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hapi node module",
"version": {
"version_data": [
{
"version_value": "\u003c11.1.3"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Certain input passed into the If-Modified-Since or Last-Modified headers will cause an \u0027illegal access\u0027 exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jfhbrook/node-ecstatic/pull/179",
"refsource": "MISC",
"url": "https://github.com/jfhbrook/node-ecstatic/pull/179"
},
{
"name": "https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580",
"refsource": "MISC",
"url": "https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"
},
{
"name": "https://nodesecurity.io/advisories/63",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/63"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2015-9241",
"datePublished": "2018-05-29T20:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-16T17:03:05.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9243 (GCVE-0-2015-9243)
Vulnerability from cvelistv5 – Published: 2018-05-29 20:00 – Updated: 2024-09-17 02:27
VLAI?
Summary
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`).
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control - Generic (CWE-284)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | hapi node module |
Affected:
<11.1.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:43:42.327Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hapijs/hapi/issues/2980"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/65"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hapi node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c11.1.4"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control - Generic (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-29T19:57:02",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapijs/hapi/issues/2980"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/65"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2015-9243",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hapi node module",
"version": {
"version_data": [
{
"version_value": "\u003c11.1.4"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control - Generic (CWE-284)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hapijs/hapi/issues/2980",
"refsource": "MISC",
"url": "https://github.com/hapijs/hapi/issues/2980"
},
{
"name": "https://nodesecurity.io/advisories/65",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/65"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2015-9243",
"datePublished": "2018-05-29T20:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-17T02:27:19.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-3728 (GCVE-0-2018-3728)
Vulnerability from cvelistv5 – Published: 2018-03-30 19:00 – Updated: 2024-08-05 04:50
VLAI?
Summary
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Severity ?
No CVSS data available.
CWE
- CWE-471 - Modification of Assumed-Immutable Data (MAID) (CWE-471)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hapi | hoek node module |
Affected:
Versions before 5.0.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/310439"
},
{
"name": "103108",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103108"
},
{
"name": "RHSA-2018:1264",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1264"
},
{
"name": "RHSA-2018:1263",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1263"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/npm:hoek:20180212"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/566"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hoek node module",
"vendor": "hapi",
"versions": [
{
"status": "affected",
"version": "Versions before 5.0.3"
}
]
}
],
"datePublic": "2018-03-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via \u0027merge\u0027 and \u0027applyToDefaults\u0027 functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-471",
"description": "Modification of Assumed-Immutable Data (MAID) (CWE-471)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-02T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/310439"
},
{
"name": "103108",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103108"
},
{
"name": "RHSA-2018:1264",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1264"
},
{
"name": "RHSA-2018:1263",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1263"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/npm:hoek:20180212"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodesecurity.io/advisories/566"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-3728",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hoek node module",
"version": {
"version_data": [
{
"version_value": "Versions before 5.0.3"
}
]
}
}
]
},
"vendor_name": "hapi"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via \u0027merge\u0027 and \u0027applyToDefaults\u0027 functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Modification of Assumed-Immutable Data (MAID) (CWE-471)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee",
"refsource": "CONFIRM",
"url": "https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee"
},
{
"name": "https://hackerone.com/reports/310439",
"refsource": "MISC",
"url": "https://hackerone.com/reports/310439"
},
{
"name": "103108",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103108"
},
{
"name": "RHSA-2018:1264",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1264"
},
{
"name": "RHSA-2018:1263",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1263"
},
{
"name": "https://snyk.io/vuln/npm:hoek:20180212",
"refsource": "MISC",
"url": "https://snyk.io/vuln/npm:hoek:20180212"
},
{
"name": "https://nodesecurity.io/advisories/566",
"refsource": "CONFIRM",
"url": "https://nodesecurity.io/advisories/566"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3728",
"datePublished": "2018-03-30T19:00:00",
"dateReserved": "2017-12-28T00:00:00",
"dateUpdated": "2024-08-05T04:50:30.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}