What is GHSA-36hh-x5p5-jgc8?

GHSA-36hh-x5p5-jgc8 is a security advisory published by GitHub Security Advisories with High severity. @hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters

Which CVE IDs does GHSA-36hh-x5p5-jgc8 cover?

GHSA-36hh-x5p5-jgc8 covers the following CVE IDs: CVE-2026-44974. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-36hh-x5p5-jgc8?

GHSA-36hh-x5p5-jgc8 affects 1 product, including: npm/@hapi/content:\u003c 6.0.2.

GHSA-36hh-x5p5-jgc8High

@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 27, 2026

🔗 CVE IDs covered (1)

CVE-2026-44974 →

📋 Description

Impact

The two parsers resolved duplicates inconsistently and silently:

Content.disposition() retained the last occurrence of each parameter.
Content.type() retained the first occurrence of charset and boundary.

Either behavior creates a parameter-smuggling primitive when another component in the request-processing chain (a WAF, reverse proxy, security filter, or alternate parser) resolves duplicates the opposite way. The primary attack vector is upload filename allowlist bypass:

Content-Disposition: form-data; name="file"; filename="safe.txt"; filename="shell.php"

@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters

🔗 CVE IDs covered (1)

📋 Description

Impact

Patches

Workarounds

Resources

🎯 Affected products1

🔗 References (3)