Description
@hapi/content provided HTTP Content-* headers parsing. Prior to 6.0.2, Content.disposition() retained the last occurrence of each duplicate parameter while Content.type() retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another component in the request-processing chain resolves duplicates the opposite way. This can allow an upload filename allowlist bypass in headers such as Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php". This issue is fixed in version 6.0.2.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-36hh-x5p5-jgc8 | @hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters |
References
History
Fri, 17 Jul 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hapijs
Hapijs content |
|
| Vendors & Products |
Hapijs
Hapijs content |
Fri, 17 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | @hapi/content provided HTTP Content-* headers parsing. Prior to 6.0.2, Content.disposition() retained the last occurrence of each duplicate parameter while Content.type() retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another component in the request-processing chain resolves duplicates the opposite way. This can allow an upload filename allowlist bypass in headers such as Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php". This issue is fixed in version 6.0.2. | |
| Title | Parameter smuggling in @hapi/content header parser allows upload-filter bypass via duplicate parameters | |
| Weaknesses | CWE-436 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T20:11:44.250Z
Reserved: 2026-05-08T16:23:33.263Z
Link: CVE-2026-44974
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T21:45:03Z
Weaknesses
Github GHSA