Skip to main content

Path To Regexp CVE-2026-4926

| EUVDEUVD-2026-16324 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-03-26 openjs GHSA-j3q9-mxjg-w52f
7.5
CVSS 3.1 · Vendor: openjs
Share

Severity by source

Vendor (openjs) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 18:07 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 19:16 euvd
EUVD-2026-16324
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 18:59 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 30 npm packages depend on path-to-regexp (12 direct, 18 indirect)

Ecosystem-wide dependent count for version 8.0.0.

DescriptionCVE.org

Impact:

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches:

Fixed in version 8.4.0.

Workarounds:

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

AnalysisAI

The path-to-regexp library versions 8.0.0 through 8.3.0 suffer from catastrophic regular expression denial of service via exponential regex generation when route patterns contain multiple sequential optional groups in curly-brace syntax. Remote unauthenticated attackers can trigger resource exhaustion by submitting crafted route patterns, causing application-level denial of service with CVSS 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released version 8.4.0 to address the issue.

Technical ContextAI

The path-to-regexp library, a widely-used JavaScript routing utility that converts path strings into regular expressions (affected product: cpe:2.3:a:path-to-regexp:path-to-regexp), contains a flaw rooted in CWE-400 (Uncontrolled Resource Consumption). When processing route patterns with multiple consecutive optional groups using curly-brace syntax such as {a}{b}{c}:z, the library generates regular expressions that grow exponentially in complexity with each additional group. This algorithmic inefficiency creates a classic Regular Expression Denial of Service (ReDoS) condition where pattern-matching operations consume excessive CPU cycles, potentially blocking the event loop in Node.js applications or causing significant performance degradation in environments where the library processes route definitions.

RemediationAI

Upgrade path-to-regexp to version 8.4.0 or later, which contains the vendor-released patch addressing the exponential regex generation issue. Organizations should review the OpenJS Foundation security advisory at https://cna.openjsf.org/security-advisories.html for complete upgrade guidance. As an interim mitigation until patching is completed, implement input validation to limit the number of sequential optional groups in route patterns and enforce strict controls preventing user-supplied data from being used as route pattern definitions. Applications using static route configurations defined at development time require less urgent remediation compared to systems dynamically generating routes from external input.

Vendor StatusVendor

Debian

node-path-to-regexp
Release Status Fixed Version Urgency
bullseye vulnerable 6.2.0-1 -
bookworm vulnerable 6.2.1-1 -
trixie vulnerable 6.3.0-1 -
forky, sid vulnerable 8.3.0-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-4926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy