CVE-2026-35213
ReDoS Vulnerability in @hapi/content HTTP Header Parsing
Publication date: 2026-04-06
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| content_project | content | to 6.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the @hapi/content package versions up to 6.0.0, which handles parsing of HTTP Content-* headers. It is a Regular Expression Denial of Service (ReDoS) vulnerability caused by three regular expressions used to parse Content-Type and Content-Disposition headers. These regular expressions contain patterns that can lead to catastrophic backtracking when processing crafted HTTP header values, allowing an attacker to cause a denial of service.
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker sending specially crafted HTTP headers that trigger the vulnerable regular expressions to perform excessive backtracking. This can cause the application using @hapi/content to consume excessive CPU resources, leading to degraded performance or denial of service, potentially making the service unavailable to legitimate users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade @hapi/content to version 6.0.1 or later, where the Regular Expression Denial of Service (ReDoS) issue has been fixed.