HTTP Header Parsing Vulnerability in @hapi/content Affects Multiple Applications
CVE-2026-44974
7.7HIGH
What is CVE-2026-44974?
The @hapi/content library, before version 6.0.2, contains a vulnerability related to the parsing of HTTP Content-* headers. Specifically, the Content.disposition() method retains the last occurrence of duplicate parameters, while Content.type() retains the first occurrence of duplicate charset and boundary parameters. This inconsistency leads to potential parameter smuggling, allowing a bypass of upload restrictions, such as overextending an allowlist, in headers like Content-Disposition. An attacker could exploit this to substitute a file name, potentially uploading malicious files disguised within legitimate headers. The issue has been resolved in version 6.0.2.
Affected Version(s)
content < 6.0.2
