PT-2026-43630 · Npm · @Hapi/Content
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-44974
CVSS v4.0
7.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N |
Impact
The two parsers resolved duplicates inconsistently and silently:
Content.disposition()retained the last occurrence of each parameter.Content.type()retained the first occurrence of charset and boundary.
Either behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass:
Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"Patches
The issue has been patched in 6.0.2.
Workarounds
Pre or post validate headers looking for duplicates.
Resources
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Hapi/Content