CVE-2026-35213
HIGH
GHSA-jg4p-7fhp-p32p
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
All versions of `@hapi/content` through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse `Content-Type` and `Content-Disposition` headers contain patterns susceptible to catastrophic backtracking. ### Impact Denial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value. ### Patches Fixed by tightening all three regular expressions to eliminate backtracking. ### Workarounds There are no known workarounds. Upgrade to the patched version.
Analysis
Regular Expression Denial of Service (ReDoS) in @hapi/content npm package versions through 6.0.0 allows unauthenticated remote attackers to crash Node.js processes via a single HTTP request containing maliciously crafted Content-Type or Content-Disposition header values. Three regular expressions used for header parsing contain catastrophic backtracking patterns that can consume unbounded CPU resources. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and services using @hapi/content versions through 6.0.0 by auditing package.json and dependency trees; document affected systems and criticality. Within 7 days: Update @hapi/content to patched version (consult vendor GitHub PR #38 for exact patched release version); conduct testing in non-production environments. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today