CVE-2026-35213
Published: 06 April 2026
Summary
CVE-2026-35213 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Content Project Content. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
@hapi/content is a Node.js library that parses HTTP Content-* headers including Content-Type and Content-Disposition. All versions through 6.0.0 contain three regular expressions that are vulnerable to catastrophic backtracking, enabling a Regular Expression Denial of Service (ReDoS) condition when attacker-supplied header values are processed. The flaw is tracked as CWE-1333 and carries a CVSS 4.0 score of 8.7.
An unauthenticated remote attacker can trigger the vulnerability simply by sending a single HTTP request containing a crafted Content-Type or Content-Disposition header. Successful exploitation causes the event loop to block, resulting in denial of service for the affected Node.js process while leaving confidentiality and integrity untouched.
The project’s security advisory GHSA-jg4p-7fhp-p32p and the associated pull request #38 state that the issue is resolved in version 6.0.1; users are advised to upgrade immediately and to validate that no pinned older releases remain in production dependency trees.
EPSS for the CVE rose from a low baseline of 0.0042 to a peak of 0.0121, indicating that exploitation interest increased after public disclosure. No reports of in-the-wild exploitation have been observed to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19477
Vulnerability details
@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to…
more
catastrophic backtracking. This vulnerability is fixed in 6.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS in HTTP header parsing enables crafted requests causing CPU exhaustion and endpoint DoS via application exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the ReDoS vulnerability by requiring identification, reporting, and timely patching of the flawed @hapi/content library to version 6.0.1.
Provides denial-of-service protection mechanisms such as traffic filtering and resource allocation controls to block crafted HTTP headers causing CPU exhaustion.
Enables real-time system monitoring to detect indicators of ReDoS attacks through anomalous CPU usage and resource exhaustion from malicious headers.