Denial of service - Potential socket exhaustion

Module: hapi

Published: December 23rd, 2015

Reported by: Adam Baldwin



Vulnerable: <11.1.3
Patched: >=11.1.3


Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Special thanks to James Halliday for bringing this exception pattern to our attention via the ecstatic advisory which lead to identifying this.


Upgrade to hapi v11.1.3 or greater.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo