CVE-2026-35213

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions @hapi/content versions through 6.0.0

Description @hapi/content is susceptible to Regular Expression Denial of Service (ReDoS) through crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.

Recommendations Upgrade to version 6.0.1 or later.

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333

Related Identifiers

CLEANSTART-2026-BE61221

CLEANSTART-2026-LC05413

CVE-2026-35213

GHSA-JG4P-7FHP-P32P

Affected Products

@Hapi/Content

CVE-2026-35213

Weakness Enumeration

Related Identifiers

Affected Products

References · 208