CVE-2026-4867
Impact
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
References
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2, https://nvd.nist.gov/vuln/detail/CVE-2026-4867, https://blakeembrey.com/posts/2024-09-web-redos, https://cna.openjsf.org/security-advisories.html, https://github.com/advisories/GHSA-9wv6-86v2-598j, https://github.com/pillarjs/path-to-regexp, https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13
Basic Information
