hapijs 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk input validation and パス処理の欠陥 に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact unexpected behavior and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2020-36604 | hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | [email protected] | 8.1 | 0.99% | 2022-09-23 | 2025-05-27 |
| CVE-2017-16025 | Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out. | [email protected] | 5.9 | 0.38% | 2018-06-04 | 2024-11-21 |
| CVE-2017-16013 | hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached. | [email protected] | 7.5 | 0.33% | 2018-06-04 | 2024-11-21 |
| CVE-2015-9236 | Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route. | [email protected] | 5.3 | 0.25% | 2018-05-31 | 2024-11-21 |
| CVE-2015-9243 | When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`). | [email protected] | 5.9 | 0.17% | 2018-05-29 | 2024-11-21 |
| CVE-2015-9241 | Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes). | [email protected] | 7.5 | 0.35% | 2018-05-29 | 2024-11-21 |
| CVE-2018-3728 | hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects. | [email protected] | 8.8 | 1.68% | 2018-03-30 | 2024-11-21 |