CVE-2026-35213
Received Received - Intake
ReDoS Vulnerability in @hapi/content HTTP Header Parsing

Publication date: 2026-04-06

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
content_project content to 6.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the @hapi/content package versions up to 6.0.0, which handles parsing of HTTP Content-* headers. It is a Regular Expression Denial of Service (ReDoS) vulnerability caused by three regular expressions used to parse Content-Type and Content-Disposition headers. These regular expressions contain patterns that can lead to catastrophic backtracking when processing crafted HTTP header values, allowing an attacker to cause a denial of service.

Impact Analysis

This vulnerability can be exploited by an attacker sending specially crafted HTTP headers that trigger the vulnerable regular expressions to perform excessive backtracking. This can cause the application using @hapi/content to consume excessive CPU resources, leading to degraded performance or denial of service, potentially making the service unavailable to legitimate users.

Mitigation Strategies

To mitigate this vulnerability, upgrade @hapi/content to version 6.0.1 or later, where the Regular Expression Denial of Service (ReDoS) issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart