Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNxamctd2htbS04Z3Y2

High EPSS: 0.00334% (0.55504 Percentile) EPSS:
Permalink JSON

Denial of Service via malformed accept-encoding header in hapi

Affected Packages Affected Versions Fixed Versions
npm:hapi
PURL: pkg:npm/hapi
>= 15.0.0, <= 16.1.0 16.1.1
2,534 Dependent packages
32,983 Dependent repositories
222,819 Downloads last month

Affected Version Ranges

All affected versions

15.0.1, 15.0.2, 15.0.3, 15.1.0, 15.1.1, 15.2.0, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.1.0

All unaffected versions

0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.15.9, 0.16.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.20.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 5.0.0, 5.1.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.4.0, 6.5.0, 6.5.1, 6.6.0, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.9.0, 6.10.0, 6.11.0, 6.11.1, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.6.0, 8.6.1, 8.8.0, 8.8.1, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.1.0, 9.2.0, 9.3.0, 9.3.1, 9.5.1, 10.0.0, 10.0.1, 10.1.0, 10.2.1, 10.4.0, 10.4.1, 10.5.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 12.0.0, 12.0.1, 12.1.0, 13.0.0, 13.1.0, 13.2.0, 13.2.1, 13.2.2, 13.3.0, 13.4.0, 13.4.1, 13.4.2, 13.5.0, 13.5.3, 14.0.0, 14.1.0, 14.2.0, 16.1.1, 16.2.0, 16.3.0, 16.3.1, 16.4.0, 16.4.1, 16.4.2, 16.4.3, 16.5.0, 16.5.1, 16.5.2, 16.6.0, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.7.0, 16.8.4, 17.0.0, 17.0.1, 17.0.2, 17.1.0, 17.1.1, 17.2.0, 17.2.1, 17.2.2, 17.2.3, 17.3.0, 17.3.1, 17.4.0, 17.5.0, 17.5.1, 17.5.2, 17.5.3, 17.5.4, 17.5.5, 17.6.0, 17.6.1, 17.6.2, 17.6.3, 17.6.4, 17.7.0, 17.8.0, 17.8.1, 17.8.2, 17.8.3, 17.8.4, 17.8.5, 18.0.0, 18.0.1, 18.1.0

Affected versions of hapi will crash or lock the event loop when a malformed accept-encoding header is recieved.

Recommendation

Update to version 16.1.1 or later.

References:

Identifiers

GHSA-cqjg-whmm-8gv6

CVE-2017-16013

Risk

Severity

High

EPSS

EPSS Percentage: 0.00334

EPSS Percentile: 0.55504

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/hapijs/hapi

Date and time

Published

almost 7 years ago

Updated

about 2 years ago

API

JSON