CVE-2015-9241
Description
Hapi before 11.1.3 allows denial of service via a crafted If-Modified-Since or Last-Modified header that triggers an uncaught exception, holding sockets open until timeout.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hapi before 11.1.3 allows denial of service via a crafted If-Modified-Since or Last-Modified header that triggers an uncaught exception, holding sockets open until timeout.
Vulnerability
In hapi versions prior to 11.1.3, the internal internals.marshal function directly passes user-controlled values from the If-Modified-Since and Last-Modified headers into Date.parse() without a try/catch guard. Certain date strings (e.g., '275760-09-24') cause V8 to throw an 'illegal access' exception instead of returning NaN [1][3]. This results in an uncaught exception that crashes the request handler.
Exploitation
An attacker can trigger this vulnerability by sending a crafted HTTP request containing a malicious If-Modified-Since or Last-Modified header with a date string known to cause an illegal access exception in V8 (e.g., '275760-09-24'). No authentication is required, and the attack can be performed over the network with a single HTTP request [3]. The server does not send an HTTP 500 error; instead, the socket remains open until the default Node.js socket timeout of 2 minutes elapses, allowing an attacker to exhaust server resources with repeated requests [1].
Impact
Successful exploitation leads to a denial of service (DoS) because the vulnerable process fails to cleanly close the connection and may crash or become unresponsive to legitimate requests. The attack can tie up server sockets, potentially consuming all available connections and preventing service to other users [1][2].
Mitigation
The vulnerability is fixed in hapi version 11.1.3, released on an unspecified date. The fix wraps the Date.parse() call in a try/catch block (new internals.parseDate function) so that invalid date strings are safely handled without throwing an exception [4]. Users should upgrade to hapi >= 11.1.3. No workaround is documented; if upgrading is not immediately possible, input validation on the affected headers may reduce risk but is not a complete solution.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hapinpm | < 11.1.3 | 11.1.3 |
Affected products
2- Range: <11.1.3
Patches
1aab2496e930dMerge pull request #2988 from hapijs/v11.1.x
1 file changed · +11 −2
lib/transmit.js+11 −2 modified@@ -82,8 +82,8 @@ internals.marshal = function (request, next) { // Weak verifier - const ifModifiedSince = Date.parse(ifModifiedSinceHeader); - const lastModified = Date.parse(lastModifiedHeader); + const ifModifiedSince = internals.parseDate(ifModifiedSinceHeader); + const lastModified = internals.parseDate(lastModifiedHeader); if (ifModifiedSince && lastModified && @@ -147,6 +147,15 @@ internals.marshal = function (request, next) { }; +internals.parseDate = function (string) { + + try { + return Date.parse(string); + } + catch (errIgnore) { } +}; + + internals.fail = function (request, boom, callback) { const error = boom.output;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-rc8h-3fv6-pxv8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-9241ghsaADVISORY
- github.com/hapijs/hapi/commit/aab2496e930dce5ee1ab28eecec94e0e45f03580ghsax_refsource_MISCWEB
- github.com/jfhbrook/node-ecstatic/pull/179ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/63mitrex_refsource_MISC
- www.npmjs.com/advisories/63ghsaWEB
News mentions
0No linked articles in our index yet.