CVE-2026-4923

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

Assigner: openjs
Reserved: 26.03.2026 Published: 26.03.2026 Updated: 27.03.2026

Impact:

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/foo-bar-:baz /a-:b-c-:d /x/a-:b/c/y

Safe examples:

/foo-:bar /foo-:bar-*baz

Patches:

Upgrade to version 8.4.0.

Workarounds:

If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	path-to-regexp
Product	path-to-regexp
Versions	Default: unaffected affected from 8.0.0 to 8.4.0 (excl.) Version 8.4.0 is unaffected

Vendor

path-to-regexp

Product

path-to-regexp

Versions

Default: unaffected

affected from 8.0.0 to 8.4.0 (excl.)
Version 8.4.0 is unaffected

Credits

blakeembrey remediation developer
UlisesGascon remediation reviewer

References

Problem Types