Description
Impact:

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches:

Upgrade to version 8.4.0.

Workarounds:

If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
Published: 2026-03-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Regular Expression Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker to trigger a regular expression backtracking condition by crafting a path that contains multiple wildcards together with at least one parameter. The resulting regular expression can consume excessive CPU resources, leading to a denial of service for the application without providing any other direct compromise. The weakness is classified as Date Regular Expression Denial of Service (CWE-1333).

Affected Systems

The affected component is the path-to-regexp library, an npm package used for routing in JavaScript applications. All versions before the 8.4.0 release are vulnerable. The library is commonly embedded in web frameworks that build request routing patterns, so any application that includes a vulnerable version of path-to-regexp is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity impact. No EPSS score is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no publicly known exploits yet. The likely attack vector is an HTTP request containing a specially crafted URL that triggers the inefficient regular expression during routing. Because the vulnerability only affects internal pattern matching, remediation typically involves updating the dependency or avoiding multiple wildcard parameters in routes.

Generated by OpenCVE AI on March 26, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading path-to-regexp to version 8.4.0 or later
  • If upgrading is not immediately possible, use a regex checking tool such as https://makenowjust-labs.github.io/recheck/playground/ to review generated regexes for paths with multiple wildcards
  • Avoid or limit the use of multiple wildcard parameters within routing definitions to prevent construction of vulnerable patterns

Generated by OpenCVE AI on March 26, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-27v5-c462-wpq7 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
History

Thu, 16 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Pillarjs
Pillarjs path-to-regexp
CPEs cpe:2.3:a:pillarjs:path-to-regexp:*:*:*:*:*:node.js:*:*
Vendors & Products Pillarjs
Pillarjs path-to-regexp

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Path-to-regexp
Path-to-regexp path-to-regexp
Vendors & Products Path-to-regexp
Path-to-regexp path-to-regexp

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
Title path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Path-to-regexp Path-to-regexp
Pillarjs Path-to-regexp
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-27T13:58:03.925Z

Reserved: 2026-03-26T18:05:44.717Z

Link: CVE-2026-4923

cve-icon Vulnrichment

Updated: 2026-03-27T13:46:51.745Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T19:17:08.187

Modified: 2026-04-16T18:03:37.620

Link: CVE-2026-4923

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T19:02:00Z

Links: CVE-2026-4923 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:37Z

Weaknesses