{"url":"http://public2.vulnerablecode.io/api/packages/405254?format=json","purl":"pkg:npm/hapi@8.1.0","type":"npm","namespace":"","name":"hapi","version":"8.1.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205628?format=json","vulnerability_id":"VCID-3wbk-8vbr-3fcc","summary":"Denial of Service in hapi","references":[{"reference_url":"https://www.npmjs.com/advisories/1481","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1481"},{"reference_url":"https://github.com/advisories/GHSA-7hx8-2rxv-66xv","reference_id":"GHSA-7hx8-2rxv-66xv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7hx8-2rxv-66xv"}],"fixed_packages":[],"aliases":["GHSA-7hx8-2rxv-66xv","GMS-2020-731"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3wbk-8vbr-3fcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361693?format=json","vulnerability_id":"VCID-6ps3-k814-6bbn","summary":"Route level CORS config overrides connection level defaults\nWhen server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`).","references":[{"reference_url":"https://github.com/hapijs/hapi/issues/2980","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/2980"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16935?format=json","purl":"pkg:npm/hapi@11.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3wbk-8vbr-3fcc"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.4"}],"aliases":["GMS-2015-57"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ps3-k814-6bbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200659?format=json","vulnerability_id":"VCID-fux4-6m7g-x3a3","summary":"Incorrect handling of CORS preflight request headers in hapi","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9236","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48513","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48376","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9236"},{"reference_url":"https://github.com/hapijs/hapi/issues/2840","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/issues/2840"},{"reference_url":"https://github.com/hapijs/hapi/issues/2850","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/issues/2850"},{"reference_url":"https://nodesecurity.io/advisories/45","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/45"},{"reference_url":"https://www.npmjs.com/advisories/45","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/45"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9236","reference_id":"CVE-2015-9236","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9236"},{"reference_url":"https://github.com/advisories/GHSA-vwrf-r5r4-7775","reference_id":"GHSA-vwrf-r5r4-7775","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vwrf-r5r4-7775"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13136?format=json","purl":"pkg:npm/hapi@11.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3wbk-8vbr-3fcc"},{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-kxrp-gw1f-t7au"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-nkm6-cx2e-cqe2"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.0.0"}],"aliases":["CVE-2015-9236","GHSA-vwrf-r5r4-7775"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fux4-6m7g-x3a3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361649?format=json","vulnerability_id":"VCID-jypm-n7rm-5yed","summary":"Incorrect handling of CORS preflight request headers\nHapi implement CORS incorrectly and allowes for configurations that at best return inconsistent headers and at worst allow cross-origin activities that are expected to be forbidden.","references":[{"reference_url":"https://github.com/hapijs/hapi/issues/2840","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/2840"},{"reference_url":"https://github.com/hapijs/hapi/issues/2850","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/2850"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13136?format=json","purl":"pkg:npm/hapi@11.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3wbk-8vbr-3fcc"},{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-kxrp-gw1f-t7au"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-nkm6-cx2e-cqe2"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.0.0"}],"aliases":["GMS-2015-36"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jypm-n7rm-5yed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361691?format=json","vulnerability_id":"VCID-kxrp-gw1f-t7au","summary":"Denial of service - Potential socket exhaustion\nCertain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).","references":[{"reference_url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"},{"reference_url":"https://github.com/jfhbrook/node-ecstatic/pull/179","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jfhbrook/node-ecstatic/pull/179"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13134?format=json","purl":"pkg:npm/hapi@11.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3wbk-8vbr-3fcc"},{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.3"}],"aliases":["GMS-2015-54"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kxrp-gw1f-t7au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205235?format=json","vulnerability_id":"VCID-mqh2-ys84-fkaz","summary":"Unsafe Merging of CORS Configuration Conflict in hapi","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9243","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37391","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37569","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9243"},{"reference_url":"https://github.com/hapijs/hapi/issues/2980","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/issues/2980"},{"reference_url":"https://nodesecurity.io/advisories/65","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/65"},{"reference_url":"https://www.npmjs.com/advisories/65","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/65"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9243","reference_id":"CVE-2015-9243","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9243"},{"reference_url":"https://github.com/advisories/GHSA-j3g2-m5jj-6336","reference_id":"GHSA-j3g2-m5jj-6336","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j3g2-m5jj-6336"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16935?format=json","purl":"pkg:npm/hapi@11.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3wbk-8vbr-3fcc"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.4"}],"aliases":["CVE-2015-9243","GHSA-j3g2-m5jj-6336"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mqh2-ys84-fkaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200654?format=json","vulnerability_id":"VCID-nkm6-cx2e-cqe2","summary":"Denial of Service in hapi","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9241","reference_id":"","reference_type":"","scores":[{"value":"0.00346","scoring_system":"epss","scoring_elements":"0.57723","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00346","scoring_system":"epss","scoring_elements":"0.57608","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9241"},{"reference_url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"},{"reference_url":"https://github.com/jfhbrook/node-ecstatic/pull/179","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jfhbrook/node-ecstatic/pull/179"},{"reference_url":"https://nodesecurity.io/advisories/63","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/63"},{"reference_url":"https://nodesecurity.io/advisories/64","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/64"},{"reference_url":"https://www.npmjs.com/advisories/63","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/63"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9241","reference_id":"CVE-2015-9241","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9241"},{"reference_url":"https://github.com/advisories/GHSA-rc8h-3fv6-pxv8","reference_id":"GHSA-rc8h-3fv6-pxv8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rc8h-3fv6-pxv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13134?format=json","purl":"pkg:npm/hapi@11.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3wbk-8vbr-3fcc"},{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.3"}],"aliases":["CVE-2015-9241","GHSA-rc8h-3fv6-pxv8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nkm6-cx2e-cqe2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361765?format=json","vulnerability_id":"VCID-y3tz-8qqs-vuds","summary":"Invalid input to route validation rules\nhapi does not validate empty parameters, which could result in invalid input bypassing the route validation rules. For example, in the routing scheme `/api/{param}/{param2}/details`, a request made to `/api///` would match incorrectly.","references":[{"reference_url":"https://github.com/hapijs/hapi/issues/3228","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/3228"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388658?format=json","purl":"pkg:npm/hapi@13.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3wbk-8vbr-3fcc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@13.4.2"}],"aliases":["GMS-2016-40"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y3tz-8qqs-vuds"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@8.1.0"}