VYPR
← All advisories
High severityNVD Advisory· Published Jun 4, 2018· Updated Sep 17, 2024

CVE-2017-16025

CVE-2017-16025

Description

Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nes WebSocket library for hapi has a denial-of-service vulnerability when an invalid Cookie header is sent during authentication.

Vulnerability

Nes is a WebSocket extension library for the hapi web server framework. In versions 6.4.0 and earlier, when WebSocket authentication is configured to use the cookie type, the _authenticate method calls this._listener._connection.states.parse(cookies, ...) without handling errors. If a client sends an invalid Cookie header (e.g., a malformed cookie value), the parse callback receives an error and state is null, causing the code to attempt state[config.cookie] on a null value, resulting in a TypeError that crashes the Node.js process. The vulnerability exists only when the auth option is set to { type: 'cookie' } [1][3].

Exploitation

An attacker must be able to send a WebSocket upgrade request to an affected server that has WebSocket authentication set to cookie. No prior authentication or special privileges are required. The attacker simply includes a malformed Cookie header (e.g., a cookie value that is an empty string or an invalid JSON string) in the WebSocket handshake request. This causes the this._listener._connection.states.parse method to fail, returning an error and null for state. The server then attempts to access state[config.cookie] on null, throwing an unhandled exception that terminates the Node.js process [1][2][3].

Impact

Successful exploitation results in an unhandled exception that crashes the Node.js server process, causing a denial of service (DoS). The server is unavailable until manually restarted. No data is disclosed, corrupted, or stolen; the impact is solely on availability [1][3].

Mitigation

The vulnerability is fixed in version 6.4.1. The fix modifies the cookie parse callback to check for an error and return an unauthorized response (Boom.unauthorized('Invalid nes authentication cookie')) instead of proceeding [2]. Users should upgrade to nes version 6.4.1 or later. No workaround is available; environments using the cookie-based authentication must update the library. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog [4].

References
  1. NVD - CVE-2017-16025
  2. Fix invalid cookie header. Closes #171 · hapijs/nes@249ba17
  3. server falls with bad cookie header
  4. CVE-2017-16025 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nesnpm
< 6.4.16.4.1

Affected products

3

Patches

1
249ba1755ed6

Fix invalid cookie header. Closes #171

https://github.com/hapijs/nesEran HammerMar 20, 2017via ghsa
commit
3 files changed · +43 3
  • lib/socket.js+6 1 modified
    @@ -537,7 +537,12 @@ internals.Socket.prototype._authenticate = function () {
         return;
     }
 
-    this._listener._connection.states.parse(cookies, (ignoreErr, state, failed) => {
+    this._listener._connection.states.parse(cookies, (err, state, failed) => {
+
+        if (err) {
+            this.auth._error = Boom.unauthorized('Invalid nes authentication cookie');
+            return;
+        }
 
         const auth = state[config.cookie];
         if (auth) {
  • package.json+2 2 modified
    @@ -1,7 +1,7 @@
 {
   "name": "nes",
   "description": "WebSocket adapter plugin for hapi routes",
-  "version": "6.4.0",
+  "version": "6.4.1",
   "repository": "git://github.com/hapijs/nes",
   "main": "lib/index.js",
   "browser": "dist/client.js",
@@ -31,7 +31,7 @@
     "babel-preset-es2015": "^6.1.2",
     "code": "4.x.x",
     "hapi": "16.x.x",
-    "lab": "11.x.x"
+    "lab": "13.x.x"
   },
   "babel": {
     "presets": ["es2015"]
  • test/auth.js+35 0 modified
    @@ -392,6 +392,41 @@ describe('authentication', () => {
             });
         });
 
+        it('errors on invalid cookie', (done) => {
+
+            const server = new Hapi.Server();
+            server.connection();
+
+            server.register({ register: Nes, options: { auth: { type: 'cookie' } } }, (err) => {
+
+                expect(err).to.not.exist();
+
+                server.auth.scheme('custom', internals.implementation);
+                server.auth.strategy('default', 'custom', true);
+
+                server.route({
+                    method: 'GET',
+                    path: '/',
+                    handler: function (request, reply) {
+
+                        return reply('hello');
+                    }
+                });
+
+                server.start((err) => {
+
+                    expect(err).to.not.exist();
+                    const client = new Nes.Client('http://localhost:' + server.info.port, { ws: { headers: { cookie: '"' } } });
+                    client.connect((err) => {
+
+                        expect(err).to.be.an.error('Invalid nes authentication cookie');
+                        client.disconnect();
+                        server.stop(done);
+                    });
+                });
+            });
+        });
+
         it('overrides cookie path', (done) => {
 
             const server = new Hapi.Server();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.