GHSA-36HH-X5P5-JGC8
Vulnerability from github – Published: 2026-05-27 00:37 – Updated: 2026-05-27 00:37
VLAI
Summary
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters
Details
Impact
The two parsers resolved duplicates inconsistently and silently:
- Content.disposition() retained the last occurrence of each parameter.
- Content.type() retained the first occurrence of charset and boundary.
Either behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass:
Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"
Patches
The issue has been patched in 6.0.2.
Workarounds
Pre or post validate headers looking for duplicates.
Resources
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@hapi/content"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44974"
],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T00:37:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThe two parsers resolved duplicates inconsistently and silently:\n- `Content.disposition()` retained the last occurrence of each parameter.\n- `Content.type()` retained the first occurrence of charset and boundary.\n\nEither behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass:\n\n`Content-Disposition: form-data; name=\"file\"; filename=\"safe.txt\"; filename=\"shell.php\"`\n\n### Patches\nThe issue has been patched in 6.0.2.\n\n### Workarounds\nPre or post validate headers looking for duplicates.\n\n### Resources\n- [RFC 6266 \u00a74.1 \u2014 Content-Disposition syntax](https://www.rfc-editor.org/rfc/rfc6266#section-4.1)\n- [RFC 7231 \u00a73.1.1.1 \u2014 Content-Type syntax](https://www.rfc-editor.org/rfc/rfc7231#section-3.1.1.1)\n- [RFC 7230 \u00a73.2.6 \u2014 token character set](https://www.rfc-editor.org/rfc/rfc7230#section-3.2.6)",
"id": "GHSA-36hh-x5p5-jgc8",
"modified": "2026-05-27T00:37:20Z",
"published": "2026-05-27T00:37:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapijs/content/security/advisories/GHSA-36hh-x5p5-jgc8"
},
{
"type": "WEB",
"url": "https://github.com/hapijs/content/commit/3850079550c191d25e3643dc82a6d61144db8c2f"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapijs/content"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…