Skip to main content

Red Hat CVE-2026-4867

| EUVDEUVD-2026-16273 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-03-26 openjs GHSA-37ch-88jc-xwx2
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 18:07 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 16:45 euvd
EUVD-2026-16273
Analysis Generated
Mar 26, 2026 - 16:45 vuln.today
CVE Published
Mar 26, 2026 - 16:16 nvd
HIGH 7.5

DescriptionCVE.org

Impact:

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Patches:

Upgrade to path-to-regexp@0.1.13

Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.

Workarounds:

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.

AnalysisAI

Catastrophic backtracking in path-to-regexp versions prior to 0.1.13 enables remote denial of service attacks through specially crafted URLs containing three or more parameters within a single route segment separated by non-period characters. The vulnerability stems from insufficient backtrack protection in regex generation for routes like /:a-:b-:c, allowing unauthenticated attackers to trigger exponential computation times. SSVC framework confirms the vulnerability is automatable with partial technical impact, though no public exploit is identified at time of analysis.

Technical ContextAI

The path-to-regexp library (CPE: cpe:2.3:a:path-to-regexp:path-to-regexp) is a widely-used JavaScript utility for converting path strings into regular expressions, commonly employed in routing frameworks like Express.js. This vulnerability represents CWE-1333 (Inefficient Regular Expression Complexity), specifically a Regular Expression Denial of Service (ReDoS) condition. The backtrack protection mechanism introduced in version 0.1.12 only safeguarded against ambiguity in two-parameter segments. When three or more parameters exist in a single segment (e.g., /:a-:b-:c-:d), the generated lookahead assertion fails to block single separator characters, causing capture groups to overlap and triggering catastrophic backtracking where regex engine execution time grows exponentially with input length.

RemediationAI

Upgrade path-to-regexp to version 0.1.13 or later, which includes proper backtrack protection for multi-parameter route segments (vendor-released patch: 0.1.13). Consult the OpenJS Foundation security advisory at https://cna.openjsf.org/security-advisories.html and GitHub advisory at https://github.com/advisories/GHSA-9wv6-86v2-598j for implementation guidance. For environments where immediate upgrade is not feasible, apply custom regular expressions to parameters after the first in multi-parameter segments, ensuring the custom regex does not match text before the parameter (e.g., change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+)). Routes using custom regex patterns in their definitions are not affected and require no changes. As an additional compensating control, implement URL length restrictions at the web server or application gateway level to limit potential backtracking depth. Detailed technical explanation and workaround examples are available at https://blakeembrey.com/posts/2024-09-web-redos.

Vendor StatusVendor

Debian

node-path-to-regexp
Release Status Fixed Version Urgency
bullseye vulnerable 6.2.0-1 -
bookworm vulnerable 6.2.1-1 -
trixie vulnerable 6.3.0-1 -
forky, sid vulnerable 8.3.0-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-4867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy