Primary

Context

@hapi/content Regular Expression Denial-of-Service Vulnerability in HTTP Header Parsing

Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the @hapi/content package, affecting all versions through 6.0.0. The issue arises from three regular expressions used to parse Content-Type and Content-Disposition headers, which contain patterns vulnerable to catastrophic backtracking. An unauthenticated remote attacker can exploit this vulnerability by sending a single HTTP request with a crafted header value, causing a Node.js process to become unresponsive.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Node.js process to become unresponsive.

Remediation

Users are advised to upgrade to version 6.0.1, which addresses this vulnerability by tightening the regular expressions to eliminate the backtracking issue.

Added: Apr 6, 2026, 9:25 PM

Updated: Apr 6, 2026, 9:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

5.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

5.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

@hapi/content Regular Expression Denial-of-Service Vulnerability in HTTP Header Parsing

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating