Plattform
nodejs
Komponente
hapi
Behoben in
2.2.0
CVE-2014-3742 is a denial-of-service (DoS) vulnerability affecting versions 2.0.x and 2.1.x of the hapi Node.js framework. An attacker can trigger a file descriptor leak by repeatedly sending requests, eventually leading to the server running out of available file descriptors and crashing. The vulnerability is resolved in version 2.2.0 and users are strongly advised to upgrade immediately.
This vulnerability allows an attacker to disrupt the availability of hapi-based applications by causing them to crash. The attack involves repeatedly triggering a file descriptor leak within the hapi server. As the server attempts to open more and more file descriptors, it will eventually exhaust the system's limit, leading to a fatal error and service interruption. The impact is a complete denial of service, preventing legitimate users from accessing the application. While the description indicates no other side effects or exploits have been identified, the DoS impact is significant, particularly for critical applications relying on hapi.
CVE-2014-3742 was publicly disclosed in 2017. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively straightforward to trigger.
Exploit-Status
EPSS
0.73% (73% Perzentil)
The primary mitigation for CVE-2014-3742 is to upgrade to hapi version 2.2.0 or later, which includes the fix for the file descriptor leak. If an immediate upgrade is not feasible, consider implementing rate limiting on incoming requests to reduce the frequency of potential triggers. While not a complete solution, this can help to delay the exhaustion of file descriptors. Monitoring system resource usage, specifically the number of open file descriptors, can provide early warning signs of an attack in progress. There are no specific WAF rules or detection signatures readily available for this vulnerability, making proactive monitoring and timely patching crucial.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2014-3742 is a denial-of-service vulnerability in hapi versions 2.0.x and 2.1.x. Repeated requests cause a file descriptor leak, crashing the server. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using hapi versions 2.0.x or 2.1.x. Check your hapi version using npm list -g hapi or node -e 'console.log(require("hapi").version())'. If the version is vulnerable, you need to upgrade.
Upgrade to hapi version 2.2.0 or later. This resolves the file descriptor leak. As a temporary workaround, implement rate limiting or monitor file descriptor usage.
There is no current evidence of active exploitation campaigns targeting CVE-2014-3742. However, systems running vulnerable versions remain at risk.
Refer to the hapi project's release notes and security advisories on their GitHub repository: https://github.com/hapijs/hapi/releases
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.