{"id":"CVE-2026-35213","summary":"Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing","details":"@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1.","aliases":["GHSA-jg4p-7fhp-p32p"],"modified":"2026-04-16T22:29:49.970312861Z","published":"2026-04-06T20:08:54.811Z","related":["CGA-fqj9-mx8g-5v3q"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-1333"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35213.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35213.json"},{"type":"FIX","url":"https://github.com/hapijs/content/pull/38"},{"type":"ADVISORY","url":"https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35213"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hapijs/content","events":[{"introduced":"0"},{"fixed":"e4233cee05535716991d02d55f82205514b10ae8"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"6.0.1"}]}}],"versions":["v1.0.0","v1.0.1","v2.0.0","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v4.0.0","v4.0.1","v4.0.2","v4.0.3","v4.0.4","v4.0.5","v4.0.6","v4.1.0","v5.0.0","v5.0.1","v5.0.2","v6.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35213.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}