CVE-2026-35213

UNKNOWN 0.0

Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing

CVSS Score

0.0

EPSS Score

0.2%

EPSS Percentile

41th

@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1.

CWE	CWE-1333
Vendor	hapijs
Product	content
Published	Apr 6, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for hapijs content

Be the first to know when new unknown vulnerabilities affecting hapijs content are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

hapijs / content

< 6.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p github.com: https://github.com/hapijs/content/pull/38