CVE-2026-4867— path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-4867
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Source: NVD (National Vulnerability Database)
Vulnerability Description
Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. Patches: Upgrade to path-to-regexp@0.1.13 Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group. Workarounds: All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1333
Source: NVD (National Vulnerability Database)
Vulnerability Title
Path-to-RegExp 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Path-to-RegExp是pillarjs开源的一个工具。用于将路径字符串转换为正则表达式。 path-to-regexp 0.1.12及之前版本存在安全漏洞,该漏洞源于生成的正则表达式存在缺陷,可能导致正则表达式拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| path-to-regexp | path-to-regexp | 0 ~ 0.1.13 | - |
II. Public POCs for CVE-2026-4867
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-4867
请登录查看更多情报信息。
Same Patch Batch · path-to-regexp · 2026-03-26 · 3 CVEs total
| CVE-2026-4926 | 7.5 HIGH | path-to-regexp vulnerable to Denial of Service via sequential optional groups |
| CVE-2026-4923 | 5.9 MEDIUM | path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards |
IV. Related Vulnerabilities
Same product: path-to-regexp
Same weakness: CWE-1333
- CVE-2026-33079
Mistune ReDoS in LINK_TITLE_RE allows denial of service with - CVE-2026-41040
GROWI 安全漏洞 - CVE-2026-40319
Giskard has a Regular Expression Denial of Service (ReDoS) i - CVE-2026-5986
Zod jsVideoUrlParser util.js getTime redos - CVE-2026-35041
ReDoS in fast-jwt when using RegExp in allowed* leading to C
V. Comments for CVE-2026-4867
No comments yet