Miggo Logo

CVE-2017-16013: Denial of Service via malformed accept-encoding header in hapi

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.55713%
Published
10/9/2018
Updated
9/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
hapinpm>= 15.0.0, <= 16.1.016.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper error handling in the accept-encoding header processing. The key change in compression.js shows the original implementation didn't handle errors from Accept.encoding(), which would throw and crash the process. The function internals.Compression.prototype.accept is the direct point where malformed input was processed without validation. The request.js changes show this function was called during request initialization, but the root vulnerability resides in the compression.js implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `**pi` will *r*s* or lo*k t** *v*nt loop w**n * m*l*orm** `****pt-*n*o*in*` *****r is r**i*v**. ## R**omm*n**tion Up**t* to v*rsion **.*.* or l*t*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *rror **n*lin* in t** `****pt-*n*o*in*` *****r pro**ssin*. T** k*y ***n** in `*ompr*ssion.js` s*ows t** ori*in*l impl*m*nt*tion *i*n't **n*l* *rrors *rom `****pt.*n*o*in*()`, w*i** woul* t*row *n* *r*s* t** `pro*