CVE-2026-44974
Published:May 31, 2026
Updated:June 13, 2026
Impact The two parsers resolved duplicates inconsistently and silently: - "Content.disposition()" retained the last occurrence of each parameter. - "Content.type()" retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass: "Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"" Patches The issue has been patched in 6.0.2. Workarounds Pre or post validate headers looking for duplicates. Resources - "RFC 6266 §4.1 — Content-Disposition syntax" (https://www.rfc-editor.org/rfc/rfc6266#section-4.1) - "RFC 7231 §3.1.1.1 — Content-Type syntax" (https://www.rfc-editor.org/rfc/rfc7231#section-3.1.1.1) - "RFC 7230 §3.2.6 — token character set" (https://www.rfc-editor.org/rfc/rfc7230#section-3.2.6)
Affected Packages
https://github.com/hapijs/content.git (GITHUB):
Affected version(s) >=v1.0.0 <v6.0.2Fix Suggestion:
Update to version v6.0.2@hapi/content (NPM):
Affected version(s) >=4.1.0 <6.0.2Fix Suggestion:
Update to version 6.0.2Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Interpretation Conflict
EPSS
Base Score:
0.05