Impact The two parsers resolved duplicates inconsistently and silently: Content.disposition() retained the last occurrence of each parameter. Content.type() retained the first occurrence of charset and boundary. Either…
| CVE ID | CVE-2026-44974 |
| Vendor | npm |
| Affected Product | @hapi/content |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.5 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
Content.disposition() retained the last occurrence of each parameter.Content.type() retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass: Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"The two parsers resolved duplicates inconsistently and silently:
The issue has been patched in 6.0.2.
Pre or post validate headers looking for duplicates.
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.