7.5

CVE-2026-4867

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters

Impact:

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Patches:

Upgrade to path-to-regexp@0.1.13

Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.

Workarounds:

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PillarjsPath-to-regexp SwPlatformnode.js Version < 0.1.13
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.385
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
ce714d77-add3-4f53-aff5-83d477b104bb 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://blakeembrey.com/posts/2024-09-web-redos
Technical Description
https://cna.openjsf.org/security-advisories.html
Third Party Advisory
https://github.com/advisories/GHSA-9wv6-86v2-598j
Not Applicable