CVE-2026-4867: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
References
- blakeembrey.com/posts/2024-09-web-redos
- cna.openjsf.org/security-advisories.html
- github.com/advisories/GHSA-37ch-88jc-xwx2
- github.com/advisories/GHSA-9wv6-86v2-598j
- github.com/pillarjs/path-to-regexp
- github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2
- nvd.nist.gov/vuln/detail/CVE-2026-4867
Code Behaviors & Features
Detect and mitigate CVE-2026-4867 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →