GHSA-9vrw-m88g-w75q
Denial of Service vulnerability in accept (npm)

Denial of Service No known exploit

What is GHSA-9vrw-m88g-w75q About?

This Denial of Service vulnerability in `@hapi/accept` allows an attacker to shut down services. The flaw is in the Accept-Encoding HTTP header parser, where invalid values cause a system error leading to application termination. Exploiting this vulnerability is relatively easy, merely requiring a specially crafted HTTP header.

Affected Software

  • @hapi/accept
    • >=4.0.0, <5.0.1
    • >=3.2.0, <3.2.4

Technical Details

Versions of @hapi/accept prior to 3.2.4 or 5.0.1 are vulnerable to a Regular Expression Denial of Service (ReDoS) type Denial of Service. The vulnerability specifically affects the Accept-Encoding HTTP header parser. When this parser encounters certain invalid values within the Accept-Encoding header, it fails to handle them gracefully and instead causes a system error. Due to how Hapi.js handles errors (rethrowing system errors rather than catching them as application errors), this unhandled exception propagates up the call stack, potentially causing the entire application process to exit if no unhandled exception handler is present. An attacker can craft an HTTP request with a malicious Accept-Encoding header to trigger this error and shut down the server.

What is the Impact of GHSA-9vrw-m88g-w75q?

Successful exploitation may allow attackers to disrupt service availability by causing the application to crash, leading to a Denial of Service for legitimate users.

What is the Exploitability of GHSA-9vrw-m88g-w75q?

Exploitation of this vulnerability is low to moderate in complexity. It requires an attacker to send a specially crafted HTTP request containing invalid values in the Accept-Encoding header. No prior authentication or specific privileges are required, making it a remote and unauthenticated attack. The primary prerequisite is that the target server is running a vulnerable version of @hapi/accept. The likelihood of successful exploitation is increased if the web application is exposed to the internet and lacks proper input validation for HTTP headers, or if no unhandled exception handler is configured, allowing the application to crash upon error.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-9vrw-m88g-w75q?

Available Upgrade Options

  • @hapi/accept
    • >=3.2.0, <3.2.4 → Upgrade to 3.2.4
  • @hapi/accept
    • >=4.0.0, <5.0.1 → Upgrade to 5.0.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-9vrw-m88g-w75q?

Similar Vulnerabilities: GHSA-23vw-mhv5-grv5 , CVE-2020-26302

All Rights reserved 2025
Privacy Policy