EUVD-2026-16322
GHSA-27v5-c462-wpq7
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Tags
Description
Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
Analysis
path-to-regexp versions prior to 8.4.0 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing multiple wildcard parameters combined with path parameters in specific configurations. Unauthenticated remote attackers can craft malicious path patterns containing multiple wildcards (not at the end) to trigger catastrophic regex backtracking, causing denial of service against applications using the affected library. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 6.2.0-1 | - |
| bookworm | vulnerable | 6.2.1-1 | - |
| trixie | vulnerable | 6.3.0-1 | - |
| forky, sid | vulnerable | 8.3.0-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today