Skip to main content

Red Hat CVE-2026-4923

| EUVDEUVD-2026-16322 MEDIUM
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-03-26 openjs GHSA-27v5-c462-wpq7
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 19:16 euvd
EUVD-2026-16322
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 19:02 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 30 npm packages depend on path-to-regexp (12 direct, 18 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionCVE.org

Impact:

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y

Safe examples:

/*foo-:bar /*foo-:bar-*baz

Patches:

Upgrade to version 8.4.0.

Workarounds:

If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

AnalysisAI

path-to-regexp versions prior to 8.4.0 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing multiple wildcard parameters combined with path parameters in specific configurations. Unauthenticated remote attackers can craft malicious path patterns containing multiple wildcards (not at the end) to trigger catastrophic regex backtracking, causing denial of service against applications using the affected library. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

path-to-regexp is a JavaScript library that converts URL path strings into regular expressions for routing purposes, commonly used in Express.js and other Node.js web frameworks. The vulnerability (CWE-1333: Improper Restriction of Rendered UI Layers or Frames) stems from how the library generates regex patterns when processing path definitions containing multiple wildcard operators (asterisks) combined with named parameters (colons). When wildcards appear in non-terminal positions followed by additional parameters, the generated regex exhibits polynomial time complexity due to excessive backtracking during pattern matching. The affected product range is path-to-regexp versions 8.0.0 through 8.3.x, as confirmed via CPE (cpe:2.3:a:path-to-regexp:path-to-regexp:*:*:*:*:*:*:*:*) and EUVD tracking (EUVD-2026-16322). The library's regex generation logic fails to account for pathological input patterns that trigger nested quantifier backtracking scenarios.

RemediationAI

Upgrade path-to-regexp to version 8.4.0 or later immediately. This patched version resolves the regex generation logic to prevent ReDoS exploitation. Applications cannot perform in-place updates via configuration; a dependency upgrade is required. Until patching is possible, conduct an audit of application routing configurations to identify and eliminate unsafe path patterns matching the listed examples (/*foo-*bar-:baz, /*a-:b-*c-:d, /x/*a-:b/*c/y); refactor affected routes to use safe patterns such as /*foo-:bar or /*foo-:bar-*baz (with wildcards only at terminal positions). As a verification step before and after remediation, test the application's routing regex output using the ReCheck playground (https://makenowjust-labs.github.io/recheck/playground/) to confirm vulnerability status. Network-level mitigations such as request timeout enforcement and rate limiting on routing endpoints can provide defense-in-depth but do not eliminate the underlying flaw.

Vendor StatusVendor

Debian

node-path-to-regexp
Release Status Fixed Version Urgency
bullseye vulnerable 6.2.0-1 -
bookworm vulnerable 6.2.1-1 -
trixie vulnerable 6.3.0-1 -
forky, sid vulnerable 8.3.0-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-4923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy