CVE-2026-44974

hapijs · content

The @hapi/content package is susceptible to interpretation conflicts when parsing HTTP Content headers, potentially allowing for unexpected application behavior.

Executive summary

An interpretation conflict in the @hapi/content library may lead to security bypasses or data processing errors in applications relying on this parser.

Vulnerability

The library contains an interpretation conflict (CWE-436) when processing HTTP Content headers. An unauthenticated attacker can supply crafted headers that are interpreted differently by the library than by other system components.

Business impact

With a CVSS score of 7.7, this vulnerability poses a high risk of integrity compromise. If the application logic relies on these headers for security decisions, the conflict could allow attackers to bypass filters or access features they are not authorized to use, potentially leading to unauthorized data modification.

Remediation

Immediate Action: Update the @hapi/content package to version 6.0.2 or higher within the project dependency tree.

Proactive Monitoring: Watch for application errors or unexpected behaviors related to request processing and header validation.

Compensating Controls: Ensure that downstream applications do not trust header information implicitly and perform secondary validation of all incoming content metadata.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Development teams should audit their package manifests and update @hapi/content to version 6.0.2 immediately. Securing the dependency chain is critical to preventing exploitation of this interpretation flaw.