Home > Vulnerability Database > CVE-2017-16025

Mend.io Vulnerability Database

CVE-2017-16025

Good to know:

Date: June 4, 2018

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to "cookie". Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.

Language: JS

Severity Score

5.9

Related Resources (7)

Url: https://github.com/advisories/GHSA-3pwh-5mmc-mwrx

Url: https://www.npmjs.com/advisories/331

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-16025

Url: https://github.com/hapijs/nes/commit/249ba1755ed6977fbc208463c87364bf884ad655

Url: https://github.com/hapijs/nes/issues/171

Url: https://nodesecurity.io/advisories/331

Url: https://www.mend.io/vulnerability-database/CVE-2017-16025

Severity Score

5.9

Weakness Type (CWE)

Improper Authentication

CWE-287

Uncontrolled Resource Consumption

CWE-400

Top Fix

Upgrade Version

Upgrade to version nes - 6.4.1;nes - 6.4.1

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-16025

Good to know:

Date: June 4, 2018

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?