All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking.
Denial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.
Fixed by tightening all three regular expressions to eliminate backtracking.
There are no known workarounds. Upgrade to the patched version.
6.0.1Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N