Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 30 npm packages depend on path-to-regexp (12 direct, 18 indirect)
Ecosystem-wide dependent count for version 8.0.0.
DescriptionCVE.org
Impact:
When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.
Unsafe examples:
/*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y
Safe examples:
/*foo-:bar /*foo-:bar-*baz
Patches:
Upgrade to version 8.4.0.
Workarounds:
If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
AnalysisAI
path-to-regexp versions prior to 8.4.0 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing multiple wildcard parameters combined with path parameters in specific configurations. Unauthenticated remote attackers can craft malicious path patterns containing multiple wildcards (not at the end) to trigger catastrophic regex backtracking, causing denial of service against applications using the affected library. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
path-to-regexp is a JavaScript library that converts URL path strings into regular expressions for routing purposes, commonly used in Express.js and other Node.js web frameworks. The vulnerability (CWE-1333: Improper Restriction of Rendered UI Layers or Frames) stems from how the library generates regex patterns when processing path definitions containing multiple wildcard operators (asterisks) combined with named parameters (colons). When wildcards appear in non-terminal positions followed by additional parameters, the generated regex exhibits polynomial time complexity due to excessive backtracking during pattern matching. The affected product range is path-to-regexp versions 8.0.0 through 8.3.x, as confirmed via CPE (cpe:2.3:a:path-to-regexp:path-to-regexp:*:*:*:*:*:*:*:*) and EUVD tracking (EUVD-2026-16322). The library's regex generation logic fails to account for pathological input patterns that trigger nested quantifier backtracking scenarios.
RemediationAI
Upgrade path-to-regexp to version 8.4.0 or later immediately. This patched version resolves the regex generation logic to prevent ReDoS exploitation. Applications cannot perform in-place updates via configuration; a dependency upgrade is required. Until patching is possible, conduct an audit of application routing configurations to identify and eliminate unsafe path patterns matching the listed examples (/*foo-*bar-:baz, /*a-:b-*c-:d, /x/*a-:b/*c/y); refactor affected routes to use safe patterns such as /*foo-:bar or /*foo-:bar-*baz (with wildcards only at terminal positions). As a verification step before and after remediation, test the application's routing regex output using the ReCheck playground (https://makenowjust-labs.github.io/recheck/playground/) to confirm vulnerability status. Network-level mitigations such as request timeout enforcement and rate limiting on routing endpoints can provide defense-in-depth but do not eliminate the underlying flaw.
Same technique Denial Of Service
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 6.2.0-1 | - |
| bookworm | vulnerable | 6.2.1-1 | - |
| trixie | vulnerable | 6.3.0-1 | - |
| forky, sid | vulnerable | 8.3.0-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16322
GHSA-27v5-c462-wpq7