CVE-2026-35213: CWE-1333: Inefficient Regular Expression Complexity in hapijs content
A Regular Expression Denial of Service (ReDoS) vulnerability exists in all versions of @hapi/content prior to 6. 0. 1. The vulnerability arises from inefficient regular expressions used to parse HTTP Content-Type and Content-Disposition headers, which can be exploited by crafted HTTP header values to cause catastrophic backtracking. This issue is fixed in version 6. 0. 1.
AI Analysis
Technical Summary
@hapi/content versions before 6.0.1 contain three regular expressions used for parsing HTTP Content-Type and Content-Disposition headers that are vulnerable to ReDoS attacks due to inefficient pattern design leading to catastrophic backtracking. This allows an attacker to send specially crafted HTTP headers that cause excessive CPU consumption, potentially leading to denial of service. The vulnerability is tracked as CVE-2026-35213 with a CVSS 4.0 score of 8.7 (high severity). The fix is included in version 6.0.1.
Potential Impact
Successful exploitation can cause denial of service by exhausting CPU resources when processing maliciously crafted HTTP headers. This impacts availability of applications using vulnerable versions of @hapi/content. There is no indication of privilege escalation, data disclosure, or other impacts.
Mitigation Recommendations
Upgrade to @hapi/content version 6.0.1 or later, where the vulnerable regular expressions have been fixed. Patch status is confirmed by the version update note. No other mitigation or temporary workaround is indicated.
CVE-2026-35213: CWE-1333: Inefficient Regular Expression Complexity in hapijs content
Description
A Regular Expression Denial of Service (ReDoS) vulnerability exists in all versions of @hapi/content prior to 6. 0. 1. The vulnerability arises from inefficient regular expressions used to parse HTTP Content-Type and Content-Disposition headers, which can be exploited by crafted HTTP header values to cause catastrophic backtracking. This issue is fixed in version 6. 0. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
@hapi/content versions before 6.0.1 contain three regular expressions used for parsing HTTP Content-Type and Content-Disposition headers that are vulnerable to ReDoS attacks due to inefficient pattern design leading to catastrophic backtracking. This allows an attacker to send specially crafted HTTP headers that cause excessive CPU consumption, potentially leading to denial of service. The vulnerability is tracked as CVE-2026-35213 with a CVSS 4.0 score of 8.7 (high severity). The fix is included in version 6.0.1.
Potential Impact
Successful exploitation can cause denial of service by exhausting CPU resources when processing maliciously crafted HTTP headers. This impacts availability of applications using vulnerable versions of @hapi/content. There is no indication of privilege escalation, data disclosure, or other impacts.
Mitigation Recommendations
Upgrade to @hapi/content version 6.0.1 or later, where the vulnerable regular expressions have been fixed. Patch status is confirmed by the version update note. No other mitigation or temporary workaround is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T18:48:58.937Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d417e60a160ebd92da7f81
Added to database: 4/6/2026, 8:30:30 PM
Last enriched: 4/14/2026, 4:10:57 PM
Last updated: 5/22/2026, 6:05:49 AM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.