Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
AnalysisAI
Catastrophic backtracking in path-to-regexp versions prior to 0.1.13 enables remote denial of service attacks through specially crafted URLs containing three or more parameters within a single route segment separated by non-period characters. The vulnerability stems from insufficient backtrack protection in regex generation for routes like /:a-:b-:c, allowing unauthenticated attackers to trigger exponential computation times. SSVC framework confirms the vulnerability is automatable with partial technical impact, though no public exploit is identified at time of analysis.
Technical ContextAI
The path-to-regexp library (CPE: cpe:2.3:a:path-to-regexp:path-to-regexp) is a widely-used JavaScript utility for converting path strings into regular expressions, commonly employed in routing frameworks like Express.js. This vulnerability represents CWE-1333 (Inefficient Regular Expression Complexity), specifically a Regular Expression Denial of Service (ReDoS) condition. The backtrack protection mechanism introduced in version 0.1.12 only safeguarded against ambiguity in two-parameter segments. When three or more parameters exist in a single segment (e.g., /:a-:b-:c-:d), the generated lookahead assertion fails to block single separator characters, causing capture groups to overlap and triggering catastrophic backtracking where regex engine execution time grows exponentially with input length.
RemediationAI
Upgrade path-to-regexp to version 0.1.13 or later, which includes proper backtrack protection for multi-parameter route segments (vendor-released patch: 0.1.13). Consult the OpenJS Foundation security advisory at https://cna.openjsf.org/security-advisories.html and GitHub advisory at https://github.com/advisories/GHSA-9wv6-86v2-598j for implementation guidance. For environments where immediate upgrade is not feasible, apply custom regular expressions to parameters after the first in multi-parameter segments, ensuring the custom regex does not match text before the parameter (e.g., change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+)). Routes using custom regex patterns in their definitions are not affected and require no changes. As an additional compensating control, implement URL length restrictions at the web server or application gateway level to limit potential backtracking depth. Detailed technical explanation and workaround examples are available at https://blakeembrey.com/posts/2024-09-web-redos.
Same technique Denial Of Service
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 6.2.0-1 | - |
| bookworm | vulnerable | 6.2.1-1 | - |
| trixie | vulnerable | 6.3.0-1 | - |
| forky, sid | vulnerable | 8.3.0-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16273
GHSA-37ch-88jc-xwx2