HTTP Header Parsing Vulnerability in @hapi/content Affects Multiple Applications
CVE-2026-44974

7.7HIGH

Key Information:

Vendor

Hapijs

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-44974?

The @hapi/content library, before version 6.0.2, contains a vulnerability related to the parsing of HTTP Content-* headers. Specifically, the Content.disposition() method retains the last occurrence of duplicate parameters, while Content.type() retains the first occurrence of duplicate charset and boundary parameters. This inconsistency leads to potential parameter smuggling, allowing a bypass of upload restrictions, such as overextending an allowlist, in headers like Content-Disposition. An attacker could exploit this to substitute a file name, potentially uploading malicious files disguised within legitimate headers. The issue has been resolved in version 6.0.2.

Affected Version(s)

content < 6.0.2

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.