Severity: high

Denial of Service



Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability.

The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers.

This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).


Update to v11.1.3 or later


Special thanks to James Halliday for bringing this exception pattern to our attention via the ecstatic advisory which lead to identifying this.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Dec 23rd, 2015
  2. reported

    Initial report by Adam Baldwin
    Dec 23rd, 2015