Plateforme
nodejs
Composant
@hapi/content
Corrigé dans
6.0.2
6.0.1
CVE-2026-35213 affects the @hapi/content Node.js package, specifically versions up to 6.0.0. This vulnerability allows for a Regular Expression Denial of Service (ReDoS) attack, potentially rendering Node.js processes unresponsive. The issue stems from vulnerable regular expressions used to parse HTTP headers. A fix is available in version 6.0.1.
An attacker can exploit this vulnerability by sending a single, maliciously crafted HTTP request containing specially designed header values. These headers trigger catastrophic backtracking within the vulnerable regular expressions used by @hapi/content to parse Content-Type and Content-Disposition headers. This leads to excessive CPU consumption and effectively freezes the Node.js process, resulting in a denial of service. The attack requires no authentication, making it easily exploitable. The blast radius is limited to the affected Node.js process, but widespread deployments could experience significant disruption.
This vulnerability is not currently listed on KEV or EPSS. The CVSS score of 7.5 indicates a HIGH probability of exploitation if the vulnerability is exposed. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the ReDoS nature of the vulnerability. The vulnerability was published on 2026-04-04, so active exploitation campaigns are possible.
Statut de l'Exploit
EPSS
0.25% (percentile 49%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to @hapi/content version 6.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter out requests with suspicious header values. Implement strict header validation logic in your application to reject requests with malformed or overly complex headers. Specifically, limit the length and complexity of Content-Type and Content-Disposition header values. After upgrading, confirm the fix by sending a test request with a known malicious header and verifying that the Node.js process remains responsive.
Actualiza la librería @hapi/content a la versión 6.0.1 o superior para mitigar la vulnerabilidad de ReDoS en el análisis de encabezados HTTP. Esta actualización corrige las expresiones regulares susceptibles a backtracking catastrófico en los encabezados Content-Type y Content-Disposition.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-35213 is a denial-of-service (DoS) vulnerability in the @hapi/content Node.js package. Malicious HTTP headers can trigger catastrophic backtracking in regular expressions, causing the Node.js process to become unresponsive.
You are affected if you are using @hapi/content versions 6.0.0 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to @hapi/content version 6.0.1 or later. If immediate upgrade is not possible, implement WAF rules and header validation as temporary mitigations.
While there are no confirmed reports of active exploitation, the ease of exploitation and the ReDoS nature of the vulnerability suggest a high probability of exploitation if the vulnerability is exposed.
Refer to the official @hapi/content repository and related security advisories for the most up-to-date information and guidance regarding CVE-2026-35213.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.