Nepotistic Pontifex Maximus
hapi

Denial of Service

Severity: high

Overview

Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability.

The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers.

This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Remediation

Update to v11.1.3 or later

Vulnerable versions

0.0.1
7 years ago
0.0.2
7 years ago
0.0.3
7 years ago
0.0.4
7 years ago
0.0.5
7 years ago
0.0.6
7 years ago
0.1.0
7 years ago
0.1.1
7 years ago
0.1.2
7 years ago
0.1.3
6 years ago
0.2.0
6 years ago
0.2.1
6 years ago
0.3.0
6 years ago
0.4.0
6 years ago
0.4.1
6 years ago
0.4.2
6 years ago
0.4.3
6 years ago
0.4.4
6 years ago
0.5.0
6 years ago
0.5.1
6 years ago
0.6.0
6 years ago
0.6.1
6 years ago
0.5.2
6 years ago
0.7.0
6 years ago
0.7.1
6 years ago
0.8.0
6 years ago
0.8.1
6 years ago
0.8.2
6 years ago
0.8.3
6 years ago
0.8.4
6 years ago
0.9.0
6 years ago
0.9.1
6 years ago
0.9.2
6 years ago
0.10.0
6 years ago
0.10.1
6 years ago
0.11.0
6 years ago
0.11.1
6 years ago
0.11.2
6 years ago
0.11.3
6 years ago
0.12.0
6 years ago
0.13.0
6 years ago
0.13.1
6 years ago
0.13.2
6 years ago
0.11.4
5 years ago
0.13.3
5 years ago
0.14.0
5 years ago
0.14.1
5 years ago
0.14.2
5 years ago
0.15.0
5 years ago
0.15.1
5 years ago
0.15.2
5 years ago
0.15.3
5 years ago
0.15.4
5 years ago
0.15.5
5 years ago
0.15.6
5 years ago
0.15.7
5 years ago
0.15.8
5 years ago
0.15.9
5 years ago
0.16.0
5 years ago
1.0.0
5 years ago
1.0.1
5 years ago
1.0.2
5 years ago
1.0.3
5 years ago
1.1.0
5 years ago
1.2.0
5 years ago
1.3.0
5 years ago
1.4.0
5 years ago
1.5.0
5 years ago
1.6.0
5 years ago
1.6.1
5 years ago
1.6.2
5 years ago
1.7.0
5 years ago
1.7.1
5 years ago
1.7.2
5 years ago
1.7.3
5 years ago
1.8.0
5 years ago
1.8.1
5 years ago
1.8.2
5 years ago
1.8.3
5 years ago
1.9.0
5 years ago
1.9.1
5 years ago
1.9.2
5 years ago
1.9.3
5 years ago
1.9.4
5 years ago
1.9.5
5 years ago
1.9.6
5 years ago
1.9.7
5 years ago
1.10.0
5 years ago
1.11.0
5 years ago
1.11.1
5 years ago
1.12.0
5 years ago
1.13.0
5 years ago
1.14.0
5 years ago
1.15.0
5 years ago
1.16.0
5 years ago
1.16.1
5 years ago
1.17.0
5 years ago
1.18.0
5 years ago
1.19.0
5 years ago
1.19.1
5 years ago
1.19.2
5 years ago
1.19.3
5 years ago
1.19.4
5 years ago
1.19.5
5 years ago
1.20.0
5 years ago
2.0.0
5 years ago
2.1.0
5 years ago
2.1.1
5 years ago
2.1.2
5 years ago
2.2.0
5 years ago
2.3.0
5 years ago
2.4.0
4 years ago
2.5.0
4 years ago
2.6.0
4 years ago
3.0.0
4 years ago
3.0.1
4 years ago
3.0.2
4 years ago
3.1.0
4 years ago
4.0.0
4 years ago
4.0.1
4 years ago
4.0.2
4 years ago
4.0.3
4 years ago
4.1.0
4 years ago
4.1.1
4 years ago
4.1.2
4 years ago
4.1.3
4 years ago
4.1.4
4 years ago
5.0.0
4 years ago
5.1.0
4 years ago
6.0.0
4 years ago
6.0.1
4 years ago
6.0.2
4 years ago
6.1.0
4 years ago
6.2.0
4 years ago
6.2.1
4 years ago
6.2.2
4 years ago
6.3.0
4 years ago
6.4.0
4 years ago
6.5.0
4 years ago
6.5.1
4 years ago
6.6.0
4 years ago
6.7.0
4 years ago
6.7.1
4 years ago
6.8.0
4 years ago
6.8.1
4 years ago
6.9.0
4 years ago
6.10.0
4 years ago
6.11.0
4 years ago
6.11.1
4 years ago
7.0.0
4 years ago
7.0.1
4 years ago
7.1.0
4 years ago
7.1.1
4 years ago
7.2.0
4 years ago
7.3.0
4 years ago
7.4.0
4 years ago
7.5.0
4 years ago
7.5.1
4 years ago
7.5.2
4 years ago
8.0.0
4 years ago
7.5.3
4 years ago
8.1.0
4 years ago
8.2.0
4 years ago
8.3.0
3 years ago
8.3.1
3 years ago
8.4.0
3 years ago
8.5.0
3 years ago
8.5.1
3 years ago
8.5.2
3 years ago
8.5.3
3 years ago
8.6.0
3 years ago
8.6.1
3 years ago
8.8.0
3 years ago
8.8.1
3 years ago
9.0.0
3 years ago
9.0.1
3 years ago
9.0.2
3 years ago
9.0.3
3 years ago
9.0.4
3 years ago
9.1.0
3 years ago
9.2.0
3 years ago
9.3.0
3 years ago
9.3.1
3 years ago
10.0.0
3 years ago
10.0.1
3 years ago
10.1.0
3 years ago
10.2.0
3 years ago
10.2.1
3 years ago
10.3.0
3 years ago
10.4.0
3 years ago
10.4.1
3 years ago
10.5.0
3 years ago
11.0.0
3 years ago
11.0.1
3 years ago
11.0.2
3 years ago
11.0.3
3 years ago
11.0.4
3 years ago
11.0.5
3 years ago
11.1.0
3 years ago
11.1.1
3 years ago
11.1.2
3 years ago
9.5.1
3 years ago

Unaffected versions

2.0.0-preview
5 years ago
0.5.1-a
5 years ago
0.5.1-b
5 years ago
0.5.1-b2
5 years ago
0.5.1-c
5 years ago
8.0.0-rc1
4 years ago
8.0.0-rc2
4 years ago
8.0.0-rc3
4 years ago
8.0.0-rc4
4 years ago
8.0.0-rc5
4 years ago
8.0.0-rc6
4 years ago
8.0.0-rc7
4 years ago
8.0.0-rc8
4 years ago
8.0.0-rc9
4 years ago
11.1.3
3 years ago
11.1.4
3 years ago
12.0.0
3 years ago
12.0.1
3 years ago
12.1.0
3 years ago
13.0.0
3 years ago
13.1.0
2 years ago
13.2.0
2 years ago
13.2.1
2 years ago
13.2.2
2 years ago
13.3.0
2 years ago
13.4.0
2 years ago
13.4.1
2 years ago
13.4.2
2 years ago
13.5.0
2 years ago
13.5.1
2 years ago
13.5.2
2 years ago
14.0.0
2 years ago
13.5.3
2 years ago
14.1.0
2 years ago
14.2.0
2 years ago
15.0.0
2 years ago
15.0.1
2 years ago
15.0.2
2 years ago
15.0.3
2 years ago
15.1.0
2 years ago
15.1.1
2 years ago
15.2.0
2 years ago
16.0.0
2 years ago
16.0.1
2 years ago
16.0.2
2 years ago
16.0.3
2 years ago
16.1.0
2 years ago
16.1.1
a year ago
16.2.0
a year ago
16.3.0
a year ago
16.3.1
a year ago
16.4.0
a year ago
16.4.1
a year ago
16.4.2
a year ago
16.4.3
a year ago
16.5.0
a year ago
16.5.1
a year ago
16.5.2
a year ago
16.6.0
a year ago
16.6.1
a year ago
16.6.2
a year ago
17.0.0-rc1
a year ago
17.0.0-rc2
10 months ago
17.0.0-rc3
10 months ago
17.0.0-rc4
10 months ago
17.0.0-rc5
10 months ago
17.0.0-rc6
10 months ago
17.0.0-rc8
10 months ago
17.0.0-rc9
10 months ago
17.0.0-rc10
9 months ago
17.0.0
9 months ago
17.0.1
9 months ago
17.0.2
9 months ago
17.1.0
9 months ago
17.1.1
9 months ago
17.2.0
8 months ago
17.2.1
5 months ago
16.6.3
5 months ago
17.2.2
5 months ago
17.2.3
5 months ago
17.3.0
5 months ago
17.3.1
4 months ago
17.4.0
4 months ago
17.5.0
3 months ago
17.5.1
3 months ago
17.5.2
2 months ago
17.5.3
13 days ago

Resources

Commit #aab2496 PR #179 Special thanks to James Halliday for bringing this exception pattern to our attention via the ecstatic advisory which lead to identifying this.

Advisory timeline

  1. Published

    Advisory published
    Dec 23rd, 2015
  2. Reported

    Initial report by Adam Baldwin
    Dec 23rd, 2015