PatchSiren cyber security CVE debrief
CVE-2026-44974 hapijs CVE debrief
CVE-2026-44974 is a HIGH severity vulnerability in @hapi/content. Prior to version 6.0.2, the Content.disposition() function retained the last occurrence of each duplicate parameter, while Content.type() retained the first occurrence of duplicate charset and boundary parameters. This inconsistency creates a parameter-smuggling primitive when another component in the request-processing chain resolves duplicates differently. An attacker can exploit this to bypass an upload filename allowlist in headers such as Content-Disposition: form-data; name=file; filename=safe.txt; filename=shell.php. The issue is fixed in version 6.0.2.
- Vendor
- hapijs
- Product
- content
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Developers and administrators using @hapi/content versions prior to 6.0.2 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 6.0.2 or applying compensating controls to prevent exploitation.
Technical summary
The @hapi/content library, prior to version 6.0.2, has a vulnerability in its handling of HTTP Content-* headers. Specifically, the Content.disposition() function and Content.type() function handle duplicate parameters inconsistently. This inconsistency can lead to a parameter-smuggling vulnerability when used in conjunction with other components that resolve duplicates differently. An attacker can exploit this vulnerability to bypass filename allowlists in certain scenarios, potentially leading to unauthorized file uploads.
Defensive priority
High
Recommended defensive actions
- Upgrade @hapi/content to version 6.0.2 or later
- Review and update filename allowlists to account for potential parameter smuggling
- Monitor for suspicious file upload activity
- Implement additional security controls to prevent exploitation
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-17T20:17:16.727Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that @hapi/content library versions prior to 6.0.2 are affected. Defenders should verify potential parameter smuggling in HTTP Content-* headers and review filename allowlists.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:16.727Z and has not been modified since then.