{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35213", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-06T20:08:54.811Z", "dateUpdated": "2026-04-07T14:02:06.943Z"}, "containers": {"cna": {"title": "Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p"}, {"name": "https://github.com/hapijs/content/pull/38", "tags": ["x_refsource_MISC"], "url": "https://github.com/hapijs/content/pull/38"}], "affected": [{"vendor": "hapijs", "product": "content", "versions": [{"version": "< 6.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:08:54.811Z"}, "descriptions": [{"lang": "en", "value": "@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1."}], "source": {"advisory": "GHSA-jg4p-7fhp-p32p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:01:56.331650Z", "id": "CVE-2026-35213", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:02:06.943Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:content_project:content:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2F8E3E13-3F65-4403-962F-D6588E8D0F87", "versionEndExcluding": "6.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1."}], "id": "CVE-2026-35213", "lastModified": "2026-04-16T04:26:29.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:20.433", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/hapijs/content/pull/38"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "content", "source": "cna", "vendor": "hapijs"}, "product": "content", "vendor": "hapijs"}], "analysis": {"en": {"generated_at": "2026-04-07T02:05:34.636100+00:00", "value": {"mitigation_remediation": ["Upgrade @hapi/content to version 6.0.1 or later", "Verify that the application functions correctly after the upgrade", "Monitor HTTP traffic for abnormal or excessively large header values that could indicate attempts to exploit ReDoS"], "summary": {"action": "Patch", "impact": "Denial of Service via Regular Expression backtracking in HTTP header parsing"}, "threat_synthesis": {"affected_systems": "All versions of the @hapi/content package up to and including 6.0.0 are affected. Versions before 6.0.1 lack the fix, while v6.0.1 and later include the remediation. The product impacted is the hapijs:content library used by web applications to interpret HTTP headers.", "description_and_impact": "The @hapi/content library contains regular expressions that parse Content-Type and Content-Disposition headers. Crafted header values trigger catastrophic backtracking, causing the parsing routine to become computationally expensive and leading to a Service Availability outage. This weakness aligns with CWE\u20111333 and is rated with a CVSS score of 8.7.", "risk_and_exploitability": "The high CVSS score indicates severe impact. No EPSS data is publicly available, making precise exploitation probability uncertain, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker crafting malicious HTTP requests with oversized or specially constructed Content-Type or Content-Disposition headers, which the vulnerable library will process, potentially exhausting server resources. The risk is elevated for services that rely directly on @hapi/content without additional header validation."}}}}, "created": "2026-04-07T06:54:15.835948+00:00", "updated": "2026-04-07T09:37:17.101099+00:00", "vendors": ["hapijs", "hapijs$PRODUCT$content"]}