Impact:
A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.
Patches:
Fixed in version 8.4.0.
Workarounds:
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
< 8.4.0 - AFFECTED
8.4.0 - UNAFFECTED
path-to-regexp vulnerable to Denial of Service via sequential optional groups
https://github.com/advisories/GHSA-j3q9-mxjg-w52fA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.
Fixed in version 8.4.0.
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-4926",
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"dateUpdated": "2026-03-26T18:59:38.000Z",
"dateReserved": "2026-03-26T18:36:49.229Z",
"datePublished": "2026-03-26T18:59:38.000Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs",
"dateUpdated": "2026-03-26T18:59:38.000Z"
},
"title": "path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"descriptions": [
{
"lang": "en",
"value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns."
}
]
}
],
"affected": [
{
"vendor": "path-to-regexp",
"product": "path-to-regexp",
"defaultStatus": "unaffected",
"versions": [
{
"version": "8.0.0",
"status": "affected",
"versionType": "semver",
"lessThan": "8.4.0"
},
{
"version": "8.4.0",
"status": "unaffected",
"versionType": "semver"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-400: Uncontrolled Resource Consumption",
"cweId": "CWE-400",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"cweId": "CWE-1333",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://cna.openjsf.org/security-advisories.html"
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
}
],
"credits": [
{
"lang": "en",
"value": "uug4na",
"type": "reporter"
},
{
"lang": "en",
"value": "blakeembrey",
"type": "remediation developer"
},
{
"lang": "en",
"value": "UlisesGascon",
"type": "remediation reviewer"
}
]
}
}
}