Description
Impact:

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches:

Fixed in version 8.4.0.

Workarounds:

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A misuse of the regular expression engine in the path-to-regexp library causes a denial of service when route patterns contain multiple sequential optional groups. The algorithm that transforms these patterns into a regular expression expands exponentially as more optional groups are added, which can overload the server with time to compile or match the pattern. This weakness reduces the availability of applications that rely on path-to-regexp for routing.

Affected Systems

The vulnerability affects the path-to-regexp package, a JavaScript routing utility used in many web frameworks. Any deployment using a version prior to 8.4.0 is susceptible, especially when route definitions include more than one consecutive optional group. Products that embed path-to-regexp directly or indirectly must verify the version they are running.

Risk and Exploitability

With a CVSS score of 7.5 the risk is moderate to high. Exploitation requires crafting a route pattern with sequential optional groups, which is feasible if the application author uses dynamic route construction from user input. Attackers can trigger CPU exhaustion by repeatedly accessing such URLs, leading to denial of service. Because the EPSS score is unavailable, the probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog, but the severity remains significant for exposed applications.

Generated by OpenCVE AI on March 26, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the path-to-regexp package to version 8.4.0 or later.
  • Reduce the number of sequential optional groups in all route patterns.
  • Avoid using user-provided data directly to build route patterns; validate or sanitize input before use.
  • Monitor application performance for signs of regex compilation delays or high CPU usage.
  • Apply temporary throttling or circuit-breaking mechanisms to mitigate denial of service attacks.

Generated by OpenCVE AI on March 26, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j3q9-mxjg-w52f path-to-regexp vulnerable to Denial of Service via sequential optional groups
History

Thu, 16 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Pillarjs
Pillarjs path-to-regexp
CPEs cpe:2.3:a:pillarjs:path-to-regexp:*:*:*:*:*:node.js:*:*
Vendors & Products Pillarjs
Pillarjs path-to-regexp

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Path-to-regexp
Path-to-regexp path-to-regexp
Vendors & Products Path-to-regexp
Path-to-regexp path-to-regexp

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
Title path-to-regexp vulnerable to Denial of Service via sequential optional groups
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Path-to-regexp Path-to-regexp
Pillarjs Path-to-regexp
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-27T19:44:53.294Z

Reserved: 2026-03-26T18:36:49.229Z

Link: CVE-2026-4926

cve-icon Vulnrichment

Updated: 2026-03-27T19:44:50.233Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T19:17:08.387

Modified: 2026-04-16T18:04:13.123

Link: CVE-2026-4926

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T18:59:38Z

Links: CVE-2026-4926 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:40Z

Weaknesses