@hapi/content：HTTP头部解析中的正则表达式拒绝服务（ReDoS）

An attacker can exploit this vulnerability by sending a single, maliciously crafted HTTP request containing specially designed header values. These headers trigger catastrophic backtracking within the vulnerable regular expressions used by @hapi/content to parse Content-Type and Content-Disposition headers. This leads to excessive CPU consumption and effectively freezes the Node.js process, resulting in a denial of service. The attack requires no authentication, making it easily exploitable. The blast radius is limited to the affected Node.js process, but widespread deployments could experience significant disruption.

1. 已保留2026-04-01
2. 发布日期2026-04-04
3. 修改日期2026-04-24
4. EPSS 更新日期2026-04-14

The primary mitigation is to upgrade to @hapi/content version 6.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter out requests with suspicious header values. Implement strict header validation logic in your application to reject requests with malformed or overly complex headers. Specifically, limit the length and complexity of Content-Type and Content-Disposition header values. After upgrading, confirm the fix by sending a test request with a known malicious header and verifying that the Node.js process remains responsive.