High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 16, 2026
CVE-2026-35213
CVE-2026-35213
Description
@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@hapi/contentnpm | < 6.0.1 | 6.0.1 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-3pkg:npm/%40hapi/content
< 8.17.10-r17+ 21 more
- (no CPE)range: < 8.17.10-r17
- (no CPE)range: < 8.17.10-r17
- (no CPE)range: < 8.17.10-r17
- (no CPE)range: < 8.19.14-r2
- (no CPE)range: < 8.19.14-r2
- (no CPE)range: < 8.19.14-r2
- (no CPE)range: < 9.0.8-r19
- (no CPE)range: < 9.0.8-r19
- (no CPE)range: < 9.0.8-r19
- (no CPE)range: < 9.1.10-r12
- (no CPE)range: < 9.1.10-r12
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 2.19.5-r7
- (no CPE)range: < 3.5.0-r15
- (no CPE)range: < 3.5.0-r10
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 3.5.0-r15
- (no CPE)range: < 6.0.1
Patches
Vulnerability mechanics
References
4- github.com/hapijs/content/pull/38nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-jg4p-7fhp-p32pghsaADVISORY
- github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32pnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35213ghsaADVISORY
News mentions
0No linked articles in our index yet.