Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU4NTQtanZ4eC0yY2c5

High
Permalink JSON

Denial of Service in content

Affected Packages Affected Versions Fixed Versions
npm:content
PURL: pkg:npm/content
<= 4.0.6 No known fixed version
20 Dependent packages
10,858 Dependent repositories
291,051 Downloads last month

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.0.2, 2.0.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.1.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6

Versions of content are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors (as opposed to catching expected application errors), the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Recommendation

This package is deprecated and is now maintained as @hapi/content. Please update your dependencies to use @hapi/content.

References:

Identifiers

GHSA-5854-jvxx-2cg9

Risk

Severity

High

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/hapijs/content

Date and time

Published

about 5 years ago

Updated

about 1 month ago

API

JSON