GHSA-23vw-mhv5-grv5
Denial of Service vulnerability in hapi (npm)

Denial of Service No known exploit

What is GHSA-23vw-mhv5-grv5 About?

This Denial of Service vulnerability in `@hapi/hapi` allows an attacker to shut down services. The flaw is in the CORS request handler, where invalid header values cause a system error leading to application termination. Exploiting this vulnerability is relatively easy, merely requiring a specially crafted HTTP header.

Affected Software

  • @hapi/hapi
    • >=19.0.0, <19.1.1
    • <18.4.1

Technical Details

Versions of @hapi/hapi prior to 18.4.1 or 19.1.1 are susceptible to a Denial of Service. The vulnerability specifically lies within the Cross-Origin Resource Sharing (CORS) request handler. When a CORS header contains certain invalid values, the handler fails to gracefully manage the error condition and instead throws a unhandled system error. If the application's environment does not have a robust unhandled exception handler in place, this system error will cause the entire application process to terminate. An attacker can leverage this by sending HTTP requests with malformed CORS headers, triggering the error and effectively shutting down the Hapi.js-based service.

What is the Impact of GHSA-23vw-mhv5-grv5?

Successful exploitation may allow attackers to disrupt service availability by causing the application to crash, leading to a Denial of Service for legitimate users.

What is the Exploitability of GHSA-23vw-mhv5-grv5?

Exploitation of this vulnerability is low to moderate in complexity. It requires an attacker to send a specially crafted HTTP request containing invalid values in the CORS header. No prior authentication or specific privileges are required, making it a remote and unauthenticated attack. The primary prerequisite is that the target server is running a vulnerable version of @hapi/hapi. The likelihood of successful exploitation is increased if the web application is exposed to the internet and lacks proper input validation for HTTP headers, or if no unhandled exception handler is configured, allowing the application to crash upon error.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-23vw-mhv5-grv5?

Available Upgrade Options

  • @hapi/hapi
    • <18.4.1 → Upgrade to 18.4.1
  • @hapi/hapi
    • >=19.0.0, <19.1.1 → Upgrade to 19.1.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-23vw-mhv5-grv5?

Similar Vulnerabilities: GHSA-9vrw-m88g-w75q , CVE-2020-26302

All Rights reserved 2025
Privacy Policy