CVE-2017-16013

Vulnerability

In hapi versions >= 15.0.0 and <= 16.1.0, a malformed accept-encoding header triggers an uncaught exception. The framework fails to handle the header when its value does not conform to the specification, causing an assertion failure in lib/compression.js at Hoek.assert(encoder !== undefined, 'Unknown encoding ${encoding}'). This results in no response being sent to the client [1][2].

Exploitation

An attacker can send a crafted HTTP request with a malformed accept-encoding header (e.g., using a non-standard encoding value) to a hapi server running a vulnerable version. No authentication or special network position is required beyond the ability to reach the server. The server either crashes or leaves the client connection hanging until the timeout period is reached [1][2].

Impact

Successful exploitation causes a denial of service (DoS). The server may crash, or the client connection remains open without a response, leading to resource exhaustion and potential cascading failures in reverse proxies due to timeout logs [1][2]. The availability of the service is impacted.

Mitigation

Upgrade to hapi version 16.1.1 or later, which includes the fix for this issue. No known workaround is available. The vulnerability is not listed in CISA KEV [3].