CVE-2026-44974 PUBLISHED

Parameter smuggling in @hapi/content header parser allows upload-filter bypass via duplicate parameters

Assigner: GitHub_M
Reserved: 08.05.2026 Published: 17.07.2026 Updated: 17.07.2026

@hapi/content provided HTTP Content-* headers parsing. Prior to 6.0.2, Content.disposition() retained the last occurrence of each duplicate parameter while Content.type() retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another component in the request-processing chain resolves duplicates the opposite way. This can allow an upload filename allowlist bypass in headers such as Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php". This issue is fixed in version 6.0.2.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N
CVSS Score: 7.7

Product Status

Vendor hapijs
Product content
Versions
  • Version < 6.0.2 is affected

References

Problem Types

  • CWE-436: Interpretation Conflict CWE