Skip to main content

Path To Regexp

1 CVEs product

Monthly

CVE-2026-4926 npm HIGH PATCH GHSA This Week

The path-to-regexp library versions 8.0.0 through 8.3.0 suffer from catastrophic regular expression denial of service via exponential regex generation when route patterns contain multiple sequential optional groups in curly-brace syntax. Remote unauthenticated attackers can trigger resource exhaustion by submitting crafted route patterns, causing application-level denial of service with CVSS 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released version 8.4.0 to address the issue.

Denial Of Service Path To Regexp
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The path-to-regexp library versions 8.0.0 through 8.3.0 suffer from catastrophic regular expression denial of service via exponential regex generation when route patterns contain multiple sequential optional groups in curly-brace syntax. Remote unauthenticated attackers can trigger resource exhaustion by submitting crafted route patterns, causing application-level denial of service with CVSS 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released version 8.4.0 to address the issue.

Denial Of Service Path To Regexp
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy