Interpretation Conflict

Overview @hapi/content is a HTTP Content- headers parsing Affected versions of this package are vulnerable to Interpretation Conflict due to inconsistent handling of duplicate parameters in the Content.disposition and Content.type functions. An attacker can bypass upload filename allowlists or...

GHSA-36HH-X5P5-JGC8 @hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters

Impact The two parsers resolved duplicates inconsistently and silently: - Content.disposition retained the last occurrence of each parameter. - Content.type retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive when another component in the...

ROOT-APP-NPM-CVE-2026-35213 CVE-2026-35213 in @rootio/hapi__content - Patched by Root

Root has patched CVE-2026-35213 in the @rootio/hapicontent package for Root:npm. Multiple fixed versions available...

CVE-2026-35213

@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...

CVE-2026-35213

@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...

CVE-2026-35213 Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing

@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...

CVE-2026-35213

CVE-2026-35213 affects the @hapi/content package: three regexes used to parse Content-Type and Content-Disposition headers enable Regular Expression Denial of Service (ReDoS) via crafted header values. All versions up to 6.0.0 are vulnerable; remediation is to upgrade to 6.0.1 where the issue is ...

@hapi/content 安全漏洞

@hapi/content is an open-source HTTP content header parsing library developed by hapi.js. Versions of @hapi/content prior to 6.0.0 contain security vulnerabilities. These vulnerabilities stem from defects in the regular expressions used to parse HTTP headers, which may lead to denial-of-service...

Regular Expression Denial of Service (ReDoS)

Overview @hapi/content is a HTTP Content- headers parsing Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS through the Content-Type and Content-Disposition header parsing. An attacker can cause the application to become unresponsive by sending a singl...

PT-2026-30322

All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. Impact Denial of...

GHSA-5854-JVXX-2CG9 Denial of Service in content

Versions of content are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors as opposed to catching expected application...

3id-test-helper (>=1.0.0 <=1.0.4), 3nit-utils (>=0.24.0 <=0.30.0) +294 more potentially affected by unknown CVE via @hapi/content (=4.1.1)

@hapi/content NPM version =4.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on @hapi/content and may be impacted: - 3id-test-helper =1.0.0, =0.24.0, =6.8.2, =1.4.0, =0.1.0, =2.1.0, =2.5.0-next.11, =2.6.0, =2.1.0, =2.4.0, =2.1.0, =2.1.0, =2.4.0, =2.7....

Prototype Pollution

@hapi/content causes prototype pollution. The vulnerability exists as it allows the value proto to be passed through the multipart name variable...