{"url":"http://public2.vulnerablecode.io/api/packages/405936?format=json","purl":"pkg:npm/hapi@11.0.4","type":"npm","namespace":"","name":"hapi","version":"11.0.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"13.4.2","latest_non_vulnerable_version":"16.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361693?format=json","vulnerability_id":"VCID-6ps3-k814-6bbn","summary":"Route level CORS config overrides connection level defaults\nWhen server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins `*`).","references":[{"reference_url":"https://github.com/hapijs/hapi/issues/2980","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/2980"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16935?format=json","purl":"pkg:npm/hapi@11.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.4"}],"aliases":["GMS-2015-57"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ps3-k814-6bbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361691?format=json","vulnerability_id":"VCID-kxrp-gw1f-t7au","summary":"Denial of service - Potential socket exhaustion\nCertain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).","references":[{"reference_url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"},{"reference_url":"https://github.com/jfhbrook/node-ecstatic/pull/179","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jfhbrook/node-ecstatic/pull/179"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13134?format=json","purl":"pkg:npm/hapi@11.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.3"}],"aliases":["GMS-2015-54"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kxrp-gw1f-t7au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205235?format=json","vulnerability_id":"VCID-mqh2-ys84-fkaz","summary":"Unsafe Merging of CORS Configuration Conflict in hapi","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9243","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37391","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9243"},{"reference_url":"https://github.com/hapijs/hapi/issues/2980","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/issues/2980"},{"reference_url":"https://nodesecurity.io/advisories/65","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/65"},{"reference_url":"https://www.npmjs.com/advisories/65","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/65"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9243","reference_id":"CVE-2015-9243","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9243"},{"reference_url":"https://github.com/advisories/GHSA-j3g2-m5jj-6336","reference_id":"GHSA-j3g2-m5jj-6336","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j3g2-m5jj-6336"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16935?format=json","purl":"pkg:npm/hapi@11.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.4"}],"aliases":["CVE-2015-9243","GHSA-j3g2-m5jj-6336"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mqh2-ys84-fkaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200654?format=json","vulnerability_id":"VCID-nkm6-cx2e-cqe2","summary":"Denial of Service in hapi","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9241","reference_id":"","reference_type":"","scores":[{"value":"0.00346","scoring_system":"epss","scoring_elements":"0.57608","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9241"},{"reference_url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580"},{"reference_url":"https://github.com/jfhbrook/node-ecstatic/pull/179","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jfhbrook/node-ecstatic/pull/179"},{"reference_url":"https://nodesecurity.io/advisories/63","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/63"},{"reference_url":"https://nodesecurity.io/advisories/64","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/64"},{"reference_url":"https://www.npmjs.com/advisories/63","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/63"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9241","reference_id":"CVE-2015-9241","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9241"},{"reference_url":"https://github.com/advisories/GHSA-rc8h-3fv6-pxv8","reference_id":"GHSA-rc8h-3fv6-pxv8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rc8h-3fv6-pxv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13134?format=json","purl":"pkg:npm/hapi@11.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ps3-k814-6bbn"},{"vulnerability":"VCID-mqh2-ys84-fkaz"},{"vulnerability":"VCID-y3tz-8qqs-vuds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.1.3"}],"aliases":["CVE-2015-9241","GHSA-rc8h-3fv6-pxv8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nkm6-cx2e-cqe2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361765?format=json","vulnerability_id":"VCID-y3tz-8qqs-vuds","summary":"Invalid input to route validation rules\nhapi does not validate empty parameters, which could result in invalid input bypassing the route validation rules. For example, in the routing scheme `/api/{param}/{param2}/details`, a request made to `/api///` would match incorrectly.","references":[{"reference_url":"https://github.com/hapijs/hapi/issues/3228","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hapijs/hapi/issues/3228"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/388658?format=json","purl":"pkg:npm/hapi@13.4.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@13.4.2"}],"aliases":["GMS-2016-40"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y3tz-8qqs-vuds"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hapi@11.0.4"}