@hapi/content CVE-2026-44974
HIGHLifecycle Timeline
2Blast Radius
ecosystem impact- 504 npm packages depend on @hapi/content (4 direct, 500 indirect)
Ecosystem-wide dependent count for version 6.0.2.
DescriptionCVE.org
Impact
The two parsers resolved duplicates inconsistently and silently:
Content.disposition()retained the last occurrence of each parameter.Content.type()retained the first occurrence of charset and boundary.
Either behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass:
Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"
Patches
The issue has been patched in 6.0.2.
Workarounds
Pre or post validate headers looking for duplicates.
Resources
AnalysisAI
Upload filename allowlist bypass in the @hapi/content npm header parser (versions < 6.0.2) lets remote attackers smuggle malicious parameters past upstream validation. The library's Content.disposition() retained the last occurrence of a duplicated parameter while Content.type() retained the first occurrence of charset/boundary, so when a WAF, reverse proxy, or security filter resolves the same duplicate the opposite way, the two layers disagree on values such as the upload filename. No public exploit code or active exploitation has been identified; the GitHub Security Advisory (GHSA-36hh-x5p5-jgc8) documents the exact smuggling header but no CVSS score or EPSS data is provided.
Technical ContextAI
@hapi/content is the header-parsing helper used by the hapi.js web framework to interpret Content-Type and Content-Disposition headers (per RFC 7231 §3.1.1.1 and RFC 6266 §4.1) for multipart form uploads. The flaw is a classic CWE-436 Interpretation Conflict: the parser silently tolerated duplicate parameters and resolved them deterministically but inconsistently (last-wins for Content-Disposition, first-wins for Content-Type charset/boundary). Because RFC 7230 §3.2.6 token rules were also loosely enforced, a crafted header like 'Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"' parses differently in @hapi/content than in another component that takes the first value, producing a parameter-smuggling primitive. The CPE pkg:npm/@hapi_content confirms this is the JavaScript/Node.js package, not a PHP component despite the 'PHP' tag, which derives only from the .php extension used in the example payload.
RemediationAI
Vendor-released patch: 6.0.2 - upgrade @hapi/content to 6.0.2 or later (fix commit 3850079550c191d25e3643dc82a6d61144db8c2f), which makes the parser reject duplicate charset/boundary and Content-Disposition parameters with a Boom badRequest error and tightens token-character validation. Run 'npm ls @hapi/content' to find transitive pulls and bump the resolution if a dependency pins an older version. As an interim workaround per the advisory, pre- or post-validate incoming Content-Type and Content-Disposition headers to detect and reject duplicate parameters before they reach the parser; the trade-off is that custom header validation must exactly mirror the parser's RFC handling or it can break legitimate ext-value (filename*) uploads. Advisory: https://github.com/hapijs/content/security/advisories/GHSA-36hh-x5p5-jgc8.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-436 – Interpretation Conflict
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-36hh-x5p5-jgc8