CVE-2026-4926 PUBLISHED

path-to-regexp vulnerable to Denial of Service via sequential optional groups

Assigner: openjs
Reserved: 26.03.2026 Published: 26.03.2026 Updated: 26.03.2026

Impact:

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches:

Fixed in version 8.4.0.

Workarounds:

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	path-to-regexp
Product	path-to-regexp
Versions	Default: unaffected affected from 8.0.0 to 8.4.0 (excl.) Version 8.4.0 is unaffected

Credits

uug4na reporter
blakeembrey remediation developer
UlisesGascon remediation reviewer

References

https://cna.openjsf.org/security-advisories.html

Problem Types

CWE-400: Uncontrolled Resource Consumption CWE
CWE-1333: Inefficient Regular Expression Complexity CWE