Cyber Resilience

CVE-2026-35213

High

Published: 06 April 2026

Published
06 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35213 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Content Project Content. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

@hapi/content is a Node.js library that parses HTTP Content-* headers including Content-Type and Content-Disposition. All versions through 6.0.0 contain three regular expressions that are vulnerable to catastrophic backtracking, enabling a Regular Expression Denial of Service (ReDoS) condition when attacker-supplied header values are processed. The flaw is tracked as CWE-1333 and carries a CVSS 4.0 score of 8.7.

An unauthenticated remote attacker can trigger the vulnerability simply by sending a single HTTP request containing a crafted Content-Type or Content-Disposition header. Successful exploitation causes the event loop to block, resulting in denial of service for the affected Node.js process while leaving confidentiality and integrity untouched.

The project’s security advisory GHSA-jg4p-7fhp-p32p and the associated pull request #38 state that the issue is resolved in version 6.0.1; users are advised to upgrade immediately and to validate that no pinned older releases remain in production dependency trees.

EPSS for the CVE rose from a low baseline of 0.0042 to a peak of 0.0121, indicating that exploitation interest increased after public disclosure. No reports of in-the-wild exploitation have been observed to date.

EU & UK References

Vulnerability details

@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to…

more

catastrophic backtracking. This vulnerability is fixed in 6.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

ReDoS in HTTP header parsing enables crafted requests causing CPU exhaustion and endpoint DoS via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70030Shared CWE-1333
CVE-2026-30837Shared CWE-1333
CVE-2025-70034Shared CWE-1333
CVE-2025-10990Shared CWE-1333
CVE-2026-23956Shared CWE-1333
CVE-2025-25200Shared CWE-1333
CVE-2026-22178Shared CWE-1333
CVE-2026-1388Shared CWE-1333
CVE-2026-23897Shared CWE-1333
CVE-2024-41766Shared CWE-1333

Affected Assets

content project
content
≤ 6.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the ReDoS vulnerability by requiring identification, reporting, and timely patching of the flawed @hapi/content library to version 6.0.1.

prevent

Provides denial-of-service protection mechanisms such as traffic filtering and resource allocation controls to block crafted HTTP headers causing CPU exhaustion.

detect

Enables real-time system monitoring to detect indicators of ReDoS attacks through anomalous CPU usage and resource exhaustion from malicious headers.

References