All versions of the @hapi/content npm package up to and including 6.0.0 expose Node.js servers to a Regular Expression Denial of Service (ReDoS) attack. Attackers need only send a single crafted HTTP request with malicious Content-Type or Content-Disposition header values to trigger it. Three specific regex patterns in the header parsing code suffer from catastrophic backtracking, which spikes CPU usage and hangs the process.
This hits hard because @hapi/content powers content negotiation and multipart parsing in the hapi.js framework, a staple for Node.js web servers since 2010. Hapi serves high-traffic sites like those at Walmart and Mozilla, with the core repo boasting over 14,000 GitHub stars and millions of weekly downloads across its ecosystem. If your app pulls in this package—directly or transitively—you’re at risk. A single unauthenticated request crashes the worker, forcing restarts and downtime.
Technical Breakdown
ReDoS exploits regex engines’ backtracking behavior. Poorly designed patterns retry matches exponentially on adversarial inputs. Here, the culprits parse header parameters: media types, charsets, and filenames in Content-Disposition. Think inputs like repeated nested quotes or semicolons that force the regex to explore billions of paths.
For example, a vulnerable pattern might look like /^([^;]+);(?:\s*([^=]+)=(?:([^"\\]+)|"((?:[^"\\]|\\.)*)"))*(?:;)?$/—hypothetical but typical for header params. Feed it text/plain; a="b"c"d variants, and Node’s V8 regex engine chokes. The advisory confirms three such patterns; devs fixed them in 6.0.1 by rewriting to linear-time alternatives, slashing backtracking risk.
Scan your package-lock.json or run
npm ls @hapi/content to check versions. Tools like npm audit flag it post-patch (CVE pending, Snyk/OSS-Fuzz likely caught it). But audits miss runtime exposure if headers hit before checks.
Real-World Implications
Why care? Availability trumps all in production. One request per endpoint DoSes the Node process—no flood needed, stealthy, zero auth. Scale to autoscaling clusters? Attackers script it across IPs, probing until workers respawn endlessly. Costs rack up: AWS bills for idle spins, users see 503s.
Hapi’s niche—robust APIs over Express’s simplicity—means enterprise use. Weekly downloads for @hapi/content hover near 200,000; transitive deps amplify reach. Past ReDoS hits like minimist or hoek (hapi’s own) downed services. Skeptically, not every app parses uploads constantly, but public POST/PUT endpoints? Prime targets. Botnets scan for hapi signatures daily.
Mitigation matters more than hype. No workarounds exist—rate limiting headers won’t stop CPU peg. Proxy layers like NGINX parse some headers first, but hapi inspects full values internally. Upgrade immediately to 6.0.1+. Test thoroughly; regex tweaks rarely break parsers if inputs stay RFC-compliant.
Broadly, this underscores Node’s regex pitfalls. V8 improved ReDoS resistance in 2020, but app-level bugs persist. Audit regexes with tools like ret or regex101’s backtracking viz. For hapi users, pin deps strictly, subscribe to @hapi security alerts. Incidents like this erode trust—fix fast, or competitors pounce on your outages.
Bottom line: Patch now. Run
npm update @hapi/contentand deploy. Monitor logs for hung requests. In crypto/web3 stacks layering hapi, this could leak into dApps or APIs handling high-value txns. Don’t wait for exploits in the wild.
