CVE-2015-9241
HIGHhapi < 11.1.3 - Denial of Service via If-Modified-Since or Last-Modified Header
Title source: llmDescription
Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi node module before 11.1.3 will continue to hold the socket open until timed out (default node timeout is 2 minutes).
References (3)
Core 3
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/jfhbrook/node-ecstatic/pull/179
Patch, Third Party Advisory x_refsource_misc
https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/63
Scores
CVSS v3
7.5
EPSS
0.0214
EPSS Percentile
79.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
CWE-400
Status
published
Products (2)
hapijs/hapi
< 11.1.3
npm/hapi
0 - 11.1.3npm
Published
May 29, 2018
Tracked Since
Feb 18, 2026