Skip to content

Rosetta-Flash JSONP Vulnerability in hapi

Moderate severity GitHub Reviewed Published Aug 31, 2020 to the GitHub Advisory Database • Updated Apr 14, 2023

Package

npm hapi (npm)

Affected versions

< 6.1.0

Patched versions

6.1.0

Description

This description taken from the pull request provided by Patrick Kettner.

Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy.

Recommendation

  • Update hapi to version 6.1.1 or later.

Alternatively, a solution previously implemented by Google, Facebook, and Github is to prepend callbacks with an empty inline comment. This will cause the flash parser to break on invalid inputs and prevent the issue, and how the issue has been resolved internally in hapi.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Aug 31, 2020
Last updated Apr 14, 2023

Severity

Moderate

EPSS score

6.868%
(94th percentile)

Weaknesses

CVE ID

CVE-2014-4671

GHSA ID

GHSA-363h-vj6q-3cmj

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.