Hueniverse

**Name of the Vulnerable Software and Affected Versions** Eran Hammer cryptiles versions 4.1.1 and earlier **Description** The issue is related to insufficient entropy in the `randomDigits()` method, which can result in an increased likelihood of brute force attacks. This attack appears to be exploitable depending on the calling application. **Recommendations** For versions 4.1.1 and earlier, upgrade to version 4.1.2 to resolve the issue. Note that the package is deprecated and has been moved to `@hapi/cryptiles`, and it is strongly recommended to use the maintained package.

**Name of the Vulnerable Software and Affected Versions** Hapi versions prior to 11.0.0 **Description** The issue arises from incorrect CORS implementation in affected versions, leading to inconsistent headers and potentially allowing cross-origin activities that should be forbidden. Specifically, when CORS is enabled for the connection but disabled for a non-GET route, the OPTIONS prefetch request returns default CORS headers, and the subsequent actual request proceeds without returning CORS headers, thus defeating the purpose of CORS configuration on the route. **Recommendations** Update to version 11.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** call versions 2.0.1 through 3.0.1 **Description** The issue concerns a bug in the call HTTP router, primarily used by the hapi framework, where empty parameters are not validated. This could result in invalid input bypassing route validation rules. In a routing scheme such as "/api/{param}/{param2}/details", a triggering request path like "/api///" could exploit this issue. **Recommendations** Update to version 3.0.2 or later. As a temporary workaround, consider restricting access to API endpoints with empty parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** hapi versions prior to 11.1.4 **Description** The issue arises when server level, connection level, or route level CORS configurations in the hapi node module are combined, and a higher level config includes security restrictions, such as origin. In such cases, the higher level config's security restrictions can be overridden by less restrictive defaults, for example, the origin defaulting to all origins *. This may result in CORS permissions being less restrictive than intended. **Recommendations** Update to version 11.1.4 or later.

**Name of the Vulnerable Software and Affected Versions** Hawk versions prior to 3.1.3 Hawk versions 4.x prior to 4.1.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in CPU consumption or partial outage, via a long header or URI that is matched against an improper regular expression. This is related to a regular expression denial of service vulnerability. **Recommendations** Update to version 3.1.3 or later for Hawk versions prior to 3.1.3. Update to version 4.1.1 or later for Hawk versions 4.x prior to 4.1.1.