CVE-2026-35213

ADVISORY - github

Summary

All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking.

Impact

Denial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.

Patches

Fixed by tightening all three regular expressions to eliminate backtracking.

Workarounds

There are no known workarounds. Upgrade to the patched version.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-1333⁠

Inefficient Regular Expression Complexity

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.