CVE-2026-4926

Summary

Impact:

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches:

Fixed in version 8.4.0.

Workarounds:

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Affected Software

VendorProductVersion RangeStatus
path-to-regexppath-to-regexp8.0.0 < 8.4.0affected
path-to-regexppath-to-regexp8.4.0unaffected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption
  • CWE-1333: CWE-1333: Inefficient Regular Expression Complexity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions

Additional References

References