Improper Input Handling in Hapi Node Module Affecting Multiple Applications
CVE-2015-9241

7.5HIGH

Key Information:

Vendor: Hackerone
Status: Hapi Node Module
Vendor: CVE Published:; 29 May 2018

What is CVE-2015-9241?

The Hapi Node module prior to version 11.1.3 contains a flaw that arises when processing certain inputs in the If-Modified-Since or Last-Modified headers. This vulnerability can lead to an 'illegal access' exception being triggered. Rather than returning a standard HTTP 500 error to the requester, the module will maintain the socket connection until it naturally times out, which defaults to two minutes. This extended socket hold can potentially be exploited by attackers to disrupt service by consuming server resources.

Affected Version(s)

hapi node module <11.1.3

References

https://github.com/jfhbrook/node-ecstatic/pull/179

x_refsource_MISC

https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1a...

x_refsource_MISC

https://nodesecurity.io/advisories/63

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2018
Vulnerability Reserved
Oct 29, 2017

Hackerone

What is CVE-2015-9241?

Affected Version(s)

References

CVSS V3.1

Timeline