Description
@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Regular Expression backtracking in HTTP header parsing
Action: Patch
AI Analysis

Impact

The @hapi/content library contains regular expressions that parse Content-Type and Content-Disposition headers. Crafted header values trigger catastrophic backtracking, causing the parsing routine to become computationally expensive and leading to a Service Availability outage. This weakness aligns with CWE‑1333 and is rated with a CVSS score of 8.7.

Affected Systems

All versions of the @hapi/content package up to and including 6.0.0 are affected. Versions before 6.0.1 lack the fix, while v6.0.1 and later include the remediation. The product impacted is the hapijs:content library used by web applications to interpret HTTP headers.

Risk and Exploitability

The high CVSS score indicates severe impact. No EPSS data is publicly available, making precise exploitation probability uncertain, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker crafting malicious HTTP requests with oversized or specially constructed Content-Type or Content-Disposition headers, which the vulnerable library will process, potentially exhausting server resources. The risk is elevated for services that rely directly on @hapi/content without additional header validation.

Generated by OpenCVE AI on April 7, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @hapi/content to version 6.0.1 or later
  • Verify that the application functions correctly after the upgrade
  • Monitor HTTP traffic for abnormal or excessively large header values that could indicate attempts to exploit ReDoS

Generated by OpenCVE AI on April 7, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jg4p-7fhp-p32p @hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing
History

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hapijs
Hapijs content
Vendors & Products Hapijs
Hapijs content

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description @hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1.
Title Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hapijs Content
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:02:06.943Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35213

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T21:16:20.433

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:17Z

Weaknesses