CVE-2026-35213
Published: 06 April 2026
Summary
CVE-2026-35213 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Content Project Content. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the ReDoS vulnerability by requiring identification, reporting, and timely patching of the flawed @hapi/content library to version 6.0.1.
Provides denial-of-service protection mechanisms such as traffic filtering and resource allocation controls to block crafted HTTP headers causing CPU exhaustion.
Enables real-time system monitoring to detect indicators of ReDoS attacks through anomalous CPU usage and resource exhaustion from malicious headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS in HTTP header parsing enables crafted requests causing CPU exhaustion and endpoint DoS via application exploitation.
NVD Description
@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to…
more
catastrophic backtracking. This vulnerability is fixed in 6.0.1.
Deeper analysisAI
CVE-2026-35213 is a Regular Expression Denial of Service (ReDoS) vulnerability in the @hapi/content package, which provides HTTP Content-Type and Content-Disposition header parsing. All versions through 6.0.0 are affected due to three regular expressions susceptible to catastrophic backtracking when processing crafted header values. The issue is classified under CWE-1333 and received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote, unauthenticated attackers can exploit this vulnerability by sending HTTP requests containing specially crafted Content-Type or Content-Disposition header values. No user interaction is required, allowing exploitation over the network with low complexity. Successful attacks trigger excessive CPU usage from backtracking, leading to denial of service through resource exhaustion, with no impact on confidentiality or integrity.
The vulnerability is addressed in @hapi/content version 6.0.1. Security advisories recommend updating to this patched version. Additional details are available in the GitHub security advisory at https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p and the fixing pull request at https://github.com/hapijs/content/pull/38.
Details
- CWE(s)