CVE-2026-35213
Received Received - Intake

ReDoS Vulnerability in @hapi/content HTTP Header Parsing

Vulnerability report for CVE-2026-35213, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-06

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description

@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-06
Last Modified
2026-04-16
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
content_project content to 6.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the @hapi/content package versions up to 6.0.0, which handles parsing of HTTP Content-* headers. It is a Regular Expression Denial of Service (ReDoS) vulnerability caused by three regular expressions used to parse Content-Type and Content-Disposition headers. These regular expressions contain patterns that can lead to catastrophic backtracking when processing crafted HTTP header values, allowing an attacker to cause a denial of service.

Impact Analysis

This vulnerability can be exploited by an attacker sending specially crafted HTTP headers that trigger the vulnerable regular expressions to perform excessive backtracking. This can cause the application using @hapi/content to consume excessive CPU resources, leading to degraded performance or denial of service, potentially making the service unavailable to legitimate users.

Mitigation Strategies

To mitigate this vulnerability, upgrade @hapi/content to version 6.0.1 or later, where the Regular Expression Denial of Service (ReDoS) issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart