GHSA-37ch-88jc-xwx2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-37ch-88jc-xwx2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-37ch-88jc-xwx2/GHSA-37ch-88jc-xwx2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-37ch-88jc-xwx2
- Aliases
-
- CVE-2026-4867
- Published
- 2026-03-27T20:04:53Z
- Modified
- 2026-03-27T20:18:48.053722Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
- Details
-
Impact
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (
.). For example,/:a-:b-:cor/:a-:b-:c-:d. The backtrack protection added inpath-to-regexp@0.1.12only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.Patches
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g.,
/:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change
/:a-:b-:cto/:a-:b([^-/]+)-:c([^-/]+).If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
References
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-1333" ], "nvd_published_at": "2026-03-26T17:16:42Z", "github_reviewed_at": "2026-03-27T20:04:53Z", "severity": "HIGH" }- References
-
- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2
- https://nvd.nist.gov/vuln/detail/CVE-2026-4867
- https://blakeembrey.com/posts/2024-09-web-redos
- https://cna.openjsf.org/security-advisories.html
- https://github.com/advisories/GHSA-9wv6-86v2-598j
- https://github.com/pillarjs/path-to-regexp
- https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13
Affected packages
npm / path-to-regexp
Package
- Name
- path-to-regexp
- View open source insights on deps.dev
- Purl
- pkg:npm/path-to-regexp