Which versions of @hapi/content are affected by CVE-2026-44974?

The @hapi/content npm library (versions < 6.0.2) contains a parameter smuggling vulnerability that bypasses file upload security controls enforced by WAFs and reverse proxies.. A patch is available.

@hapi/content CVE-2026-44974

Q: How to fix or mitigate CVE-2026-44974?

Within 24 hours: scan all Node.js applications for @hapi/content dependency versions < 6.0.2 using npm audit or equivalent SBOM tools. Within 7 days: upgrade all affected instances to @hapi/content version 6.0.2 or later and redeploy applications. Within 30 days: audit and re-validate file upload restrictions and WAF/proxy filtering rules to confirm the parameter smuggling behavior is no longer possible.

HIGH

Interpretation Conflict (CWE-436)

2026-05-27 https://github.com/hapijs/content

GHSA-36hh-x5p5-jgc8

PHP Authentication Bypass

Lifecycle Timeline

Source Code Evidence Fetched

May 27, 2026 - 23:21 vuln.today

Analysis Generated

May 27, 2026 - 23:21 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

497 npm packages depend on @hapi/content (4 direct, 493 indirect)

Ecosystem-wide dependent count for version 6.0.2.

DescriptionNVD

Impact

The two parsers resolved duplicates inconsistently and silently:

Content.disposition() retained the last occurrence of each parameter.
Content.type() retained the first occurrence of charset and boundary.

Either behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass:

Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"

Patches

The issue has been patched in 6.0.2.

Workarounds

Pre or post validate headers looking for duplicates.

Resources

AnalysisAI

Upload filename allowlist bypass in the @hapi/content npm header parser (versions < 6.0.2) lets remote attackers smuggle malicious parameters past upstream validation. The library's Content.disposition() retained the last occurrence of a duplicated parameter while Content.type() retained the first occurrence of charset/boundary, so when a WAF, reverse proxy, or security filter resolves the same duplicate the opposite way, the two layers disagree on values such as the upload filename. …

RemediationAI

Within 24 hours: scan all Node.js applications for @hapi/content dependency versions < 6.0.2 using npm audit or equivalent SBOM tools. Within 7 days: upgrade all affected instances to @hapi/content version 6.0.2 or later and redeploy applications. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44974 vulnerability details – vuln.today

Back