Description
Impact:

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Patches:

Upgrade to path-to-regexp@0.1.13

Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.

Workarounds:

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Regular Expression Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The path-to-regexp library constructs a regular expression that becomes vulnerable when three or more dynamic parameters are present in a single path segment separated by non‑dot characters. In such cases, the generated lookahead does not block single separator characters, causing capture groups to overlap and trigger catastrophic backtracking during URL matching. An attacker can exploit this by sending a request URL containing many characters, leading the server to expend excessive CPU resources and become unresponsive, thereby impacting application availability.

Affected Systems

The affected library is the path-to-regexp npm package. Versions up to and including 0.1.12 generate the problematic regular expression. Applications that import this package and use route patterns with three or more dynamic parameters in a single segment—without custom regex overrides—are at risk.

Risk and Exploitability

The CVSS score of 7.5 classifies this issue as high severity, indicating significant potential for service disruption. The EPSS score is not provided, so the likelihood of exploitation is uncertain, yet the attack does not require special privileges; any user able to craft a request can trigger the denial of service. This vulnerability is not listed in the CISA KEV catalog. Adopting the fix or a mitigating workaround quickly reduces the risk to application availability.

Generated by OpenCVE AI on March 26, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the path-to-regexp package to version 0.1.13 or later
  • Modify any route definitions that use three or more dynamic parameters in a single segment to include explicit regex patterns for subsequent parameters (e.g., :b([^-/]+))
  • If rewriting routes is not possible, limit the maximum allowed URL length to prevent excessively long request paths

Generated by OpenCVE AI on March 26, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-37ch-88jc-xwx2 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
History

Thu, 16 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Pillarjs
Pillarjs path-to-regexp
CPEs cpe:2.3:a:pillarjs:path-to-regexp:*:*:*:*:*:node.js:*:*
Vendors & Products Pillarjs
Pillarjs path-to-regexp

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Path-to-regexp
Path-to-regexp path-to-regexp
Vendors & Products Path-to-regexp
Path-to-regexp path-to-regexp

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. Patches: Upgrade to path-to-regexp@0.1.13 Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group. Workarounds: All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Title path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Path-to-regexp Path-to-regexp
Pillarjs Path-to-regexp
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-26T16:52:14.893Z

Reserved: 2026-03-25T20:11:53.714Z

Link: CVE-2026-4867

cve-icon Vulnrichment

Updated: 2026-03-26T16:52:11.744Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:42.983

Modified: 2026-04-16T18:01:04.783

Link: CVE-2026-4867

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T16:16:25Z

Links: CVE-2026-4867 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:27Z

Weaknesses