{"url":"http://public2.vulnerablecode.io/api/packages/16907?format=json","purl":"pkg:npm/hapi@6.1.0","type":"npm","namespace":"","name":"hapi","version":"6.1.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"13.4.2","latest_non_vulnerable_version":"16.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361693?format=json","vulnerability_id":"VCID-6ps3-k814-6bbn","summary":"Route level CORS config overrides connection level defaults\nWhen server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`).","references":[{"reference_url":"https://github.com/hapijs/hapi/issues/2980","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/2980"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16935?format=json","purl":"pkg:npm/hapi@11.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.4"}],"aliases":["GMS-2015-57"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ps3-k814-6bbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200659?format=json","vulnerability_id":"VCID-fux4-6m7g-x3a3","summary":"Incorrect handling of CORS preflight request headers in hapi","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9236","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48376","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9236"},{"reference_url":"https://github.com/hapijs/hapi/issues/2840","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/issues/2840"},{"reference_url":"https://github.com/hapijs/hapi/issues/2850","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/issues/2850"},{"reference_url":"https://nodesecurity.io/advisories/45","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/45"},{"reference_url":"https://www.npmjs.com/advisories/45","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/45"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9236","reference_id":"CVE-2015-9236","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9236"},{"reference_url":"https://github.com/advisories/GHSA-vwrf-r5r4-7775","reference_id":"GHSA-vwrf-r5r4-7775","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vwrf-r5r4-7775"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13136?format=json","purl":"pkg:npm/hapi@11.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-kxrp-gw1f-t7au"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-nkm6-cx2e-cqe2"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.0.0"}],"aliases":["CVE-2015-9236","GHSA-vwrf-r5r4-7775"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fux4-6m7g-x3a3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361649?format=json","vulnerability_id":"VCID-jypm-n7rm-5yed","summary":"Incorrect handling of CORS preflight request headers\nHapi implement CORS incorrectly and allowes for configurations that at best return inconsistent headers and at worst allow cross-origin activities that are expected to be forbidden.","references":[{"reference_url":"https://github.com/hapijs/hapi/issues/2840","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/2840"},{"reference_url":"https://github.com/hapijs/hapi/issues/2850","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/2850"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13136?format=json","purl":"pkg:npm/hapi@11.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-kxrp-gw1f-t7au"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-nkm6-cx2e-cqe2"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.0.0"}],"aliases":["GMS-2015-36"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jypm-n7rm-5yed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361691?format=json","vulnerability_id":"VCID-kxrp-gw1f-t7au","summary":"Denial of service - Potential socket exhaustion\nCertain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).","references":[{"reference_url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"},{"reference_url":"https://github.com/jfhbrook/node-ecstatic/pull/179","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jfhbrook/node-ecstatic/pull/179"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13134?format=json","purl":"pkg:npm/hapi@11.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.3"}],"aliases":["GMS-2015-54"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kxrp-gw1f-t7au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205235?format=json","vulnerability_id":"VCID-mqh2-ys84-fkaz","summary":"Unsafe Merging of CORS Configuration Conflict in hapi","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9243","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37391","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9243"},{"reference_url":"https://github.com/hapijs/hapi/issues/2980","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/issues/2980"},{"reference_url":"https://nodesecurity.io/advisories/65","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/65"},{"reference_url":"https://www.npmjs.com/advisories/65","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/65"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9243","reference_id":"CVE-2015-9243","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9243"},{"reference_url":"https://github.com/advisories/GHSA-j3g2-m5jj-6336","reference_id":"GHSA-j3g2-m5jj-6336","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j3g2-m5jj-6336"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16935?format=json","purl":"pkg:npm/hapi@11.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.4"}],"aliases":["CVE-2015-9243","GHSA-j3g2-m5jj-6336"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mqh2-ys84-fkaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200654?format=json","vulnerability_id":"VCID-nkm6-cx2e-cqe2","summary":"Denial of Service in hapi","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9241","reference_id":"","reference_type":"","scores":[{"value":"0.00346","scoring_system":"epss","scoring_elements":"0.57608","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9241"},{"reference_url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"},{"reference_url":"https://github.com/jfhbrook/node-ecstatic/pull/179","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jfhbrook/node-ecstatic/pull/179"},{"reference_url":"https://nodesecurity.io/advisories/63","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/63"},{"reference_url":"https://nodesecurity.io/advisories/64","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/64"},{"reference_url":"https://www.npmjs.com/advisories/63","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/63"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9241","reference_id":"CVE-2015-9241","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9241"},{"reference_url":"https://github.com/advisories/GHSA-rc8h-3fv6-pxv8","reference_id":"GHSA-rc8h-3fv6-pxv8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rc8h-3fv6-pxv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13134?format=json","purl":"pkg:npm/hapi@11.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.3"}],"aliases":["CVE-2015-9241","GHSA-rc8h-3fv6-pxv8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nkm6-cx2e-cqe2"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/180081?format=json","vulnerability_id":"VCID-pjjx-6sb6-s7g3","summary":"Multiple vulnerabilities have been found in Adobe Flash Player,\n    worst of which allows remote attackers to execute arbitrary code.","references":[{"reference_url":"http://helpx.adobe.com/security/products/flash-player/apsb14-17.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://helpx.adobe.com/security/products/flash-player/apsb14-17.html"},{"reference_url":"http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash"},{"reference_url":"http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/","reference_id":"","reference_type":"","scores":[],"url":"http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0860.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0860.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-4671.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-4671.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-4671","reference_id":"","reference_type":"","scores":[{"value":"0.35827","scoring_system":"epss","scoring_elements":"0.97185","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-4671"},{"reference_url":"http://secunia.com/advisories/59774","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/59774"},{"reference_url":"http://secunia.com/advisories/59837","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/59837"},{"reference_url":"http://security.gentoo.org/glsa/glsa-201407-02.xml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://security.gentoo.org/glsa/glsa-201407-02.xml"},{"reference_url":"https://github.com/hapijs/hapi/commit/d47f57abf23bdaa84f61aed2bac94ae5f358afb7","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/commit/d47f57abf23bdaa84f61aed2bac94ae5f358afb7"},{"reference_url":"https://github.com/patrickkettner","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patrickkettner"},{"reference_url":"https://github.com/spumko/hapi","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spumko/hapi"},{"reference_url":"https://github.com/spumko/hapi/pull/1766","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spumko/hapi/pull/1766"},{"reference_url":"https://www.npmjs.com/advisories/12","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/12"},{"reference_url":"http://www.securityfocus.com/bid/68457","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/68457"},{"reference_url":"http://www.securitytracker.com/id/1030533","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1030533"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1117588","reference_id":"1117588","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1117588"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-4671","reference_id":"CVE-2014-4671","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-4671"},{"reference_url":"https://github.com/advisories/GHSA-363h-vj6q-3cmj","reference_id":"GHSA-363h-vj6q-3cmj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-363h-vj6q-3cmj"},{"reference_url":"https://security.gentoo.org/glsa/201407-02","reference_id":"GLSA-201407-02","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201407-02"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0860","reference_id":"RHSA-2014:0860","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0860"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16907?format=json","purl":"pkg:npm/hapi@6.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-fux4-6m7g-x3a3"},{"vulnerability":"VCID-jypm-n7rm-5yed"},{"vulnerability":"VCID-kxrp-gw1f-t7au"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-nkm6-cx2e-cqe2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@6.1.0"}],"aliases":["CVE-2014-4671","GHSA-363h-vj6q-3cmj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pjjx-6sb6-s7g3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359585?format=json","vulnerability_id":"VCID-q6dd-9ssa-muhc","summary":"Rosetta-Flash JSONP Vulnerability\nThis description taken from the pull request provided by Patrick Kettner.\n\n[Background from the vulnerabilty finder](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)\n\ntl:dr - someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains.\n\nPrepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is a fairly common solution currently being implemented by Google, Facebook, and Github.","references":[{"reference_url":"https://github.com/patrickkettner)","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/patrickkettner)"},{"reference_url":"https://github.com/spumko/hapi/pull/1766)","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/spumko/hapi/pull/1766)"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/12.json","reference_id":"12","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/12.json"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16907?format=json","purl":"pkg:npm/hapi@6.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-fux4-6m7g-x3a3"},{"vulnerability":"VCID-jypm-n7rm-5yed"},{"vulnerability":"VCID-kxrp-gw1f-t7au"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-nkm6-cx2e-cqe2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@6.1.0"}],"aliases":["CVE-2014-4671A"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q6dd-9ssa-muhc"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@6.1.0"}