Advisories for Npm/@Hapi/Content package

The two parsers resolved duplicates inconsistently and silently: Content.disposition() retained the last occurrence of each parameter. Content.type() retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass: Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"

All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This has been fixed in v6.0.1.

Versions of @hapi/content prior to 4.1.1 and 5.0.1 are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors (as opposed to catching expected application errors), the error is thrown all the way up the stack. If no unhandled exception handler is available, the application …