Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5Blast Radius
ecosystem impact- 30 npm packages depend on path-to-regexp (12 direct, 18 indirect)
Ecosystem-wide dependent count for version 8.0.0.
DescriptionCVE.org
Impact:
A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.
Patches:
Fixed in version 8.4.0.
Workarounds:
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
AnalysisAI
The path-to-regexp library versions 8.0.0 through 8.3.0 suffer from catastrophic regular expression denial of service via exponential regex generation when route patterns contain multiple sequential optional groups in curly-brace syntax. Remote unauthenticated attackers can trigger resource exhaustion by submitting crafted route patterns, causing application-level denial of service with CVSS 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released version 8.4.0 to address the issue.
Technical ContextAI
The path-to-regexp library, a widely-used JavaScript routing utility that converts path strings into regular expressions (affected product: cpe:2.3:a:path-to-regexp:path-to-regexp), contains a flaw rooted in CWE-400 (Uncontrolled Resource Consumption). When processing route patterns with multiple consecutive optional groups using curly-brace syntax such as {a}{b}{c}:z, the library generates regular expressions that grow exponentially in complexity with each additional group. This algorithmic inefficiency creates a classic Regular Expression Denial of Service (ReDoS) condition where pattern-matching operations consume excessive CPU cycles, potentially blocking the event loop in Node.js applications or causing significant performance degradation in environments where the library processes route definitions.
RemediationAI
Upgrade path-to-regexp to version 8.4.0 or later, which contains the vendor-released patch addressing the exponential regex generation issue. Organizations should review the OpenJS Foundation security advisory at https://cna.openjsf.org/security-advisories.html for complete upgrade guidance. As an interim mitigation until patching is completed, implement input validation to limit the number of sequential optional groups in route patterns and enforce strict controls preventing user-supplied data from being used as route pattern definitions. Applications using static route configurations defined at development time require less urgent remediation compared to systems dynamically generating routes from external input.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 6.2.0-1 | - |
| bookworm | vulnerable | 6.2.1-1 | - |
| trixie | vulnerable | 6.3.0-1 | - |
| forky, sid | vulnerable | 8.3.0-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16324
GHSA-j3q9-mxjg-w52f