Zurück zur CVE-Übersicht
CVE-2026-44974
NONERisk Signal Score10/100 — NIEDRIG
- Weniger als 24 Stunden alt
Beschreibung
@hapi/content provided HTTP Content-* headers parsing. Prior to 6.0.2, Content.disposition() retained the last occurrence of each duplicate parameter while Content.type() retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another component in the request-processing chain resolves duplicates the opposite way. This can allow an upload filename allowlist bypass in headers such as Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php". This issue is fixed in version 6.0.2.
GitHub Advisories
GHSA-36hh-x5p5-jgc8HIGH
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters
npm/@hapi/content→ 6.0.2
GitHub Advisory