Platform
nodejs
Component
hapi
Fixed in
2.2.0
CVE-2014-3742 is a denial-of-service (DoS) vulnerability affecting versions 2.0.x and 2.1.x of the hapi Node.js framework. An attacker can trigger a file descriptor leak by repeatedly sending requests, eventually leading to the server running out of available file descriptors and crashing. The vulnerability is resolved in version 2.2.0 and users are strongly advised to upgrade immediately.
The primary impact of CVE-2014-3742 is a denial-of-service. A successful exploit allows an attacker to crash the hapi server, rendering it unavailable to legitimate users. The severity of the impact depends on the system's file descriptor limit; a lower limit means the server will crash more quickly. While the vulnerability description explicitly states no other side effects or exploits have been identified, a prolonged DoS can disrupt critical services and potentially mask other malicious activity. This vulnerability shares similarities with other resource exhaustion attacks, where an attacker overwhelms a system's resources to cause failure.
CVE-2014-3742 was published in 2017. There is no indication of active exploitation campaigns targeting this vulnerability. It is not listed on KEV or EPSS. While the vulnerability is relatively old, systems running older versions of hapi may still be present, particularly in legacy environments, making them potential targets. Refer to the NVD entry for further details.
Exploit Status
EPSS
0.73% (73% percentile)
The recommended mitigation for CVE-2014-3742 is to upgrade to hapi version 2.2.0 or later. This version contains the fix for the file descriptor leak. If upgrading immediately is not possible, consider implementing temporary workarounds such as rate limiting incoming requests to the vulnerable endpoints. WAFs or proxy servers can be configured to limit the number of requests from a single IP address within a given timeframe. Monitoring system resource usage, particularly the number of open file descriptors, can provide early warning signs of an ongoing attack.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2014-3742 is a denial-of-service vulnerability in hapi versions 2.0.x and 2.1.x. Repeated requests cause a file descriptor leak, crashing the server. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using hapi versions 2.0.x or 2.1.x. Check your hapi version using npm list -g hapi or node -e 'console.log(require("hapi").version())'. If the version is vulnerable, you need to upgrade.
Upgrade to hapi version 2.2.0 or later. This resolves the file descriptor leak. As a temporary workaround, implement rate limiting or monitor file descriptor usage.
There is no current evidence of active exploitation campaigns targeting CVE-2014-3742. However, systems running vulnerable versions remain at risk.
Refer to the hapi project's release notes and security advisories on their GitHub repository: https://github.com/hapijs/hapi/releases
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.