CVE-2026-4923: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

March 27, 2026

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

References

cna.openjsf.org/security-advisories.html
github.com/advisories/GHSA-27v5-c462-wpq7
github.com/pillarjs/path-to-regexp
github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7
makenowjust-labs.github.io/recheck/playground
nvd.nist.gov/vuln/detail/CVE-2026-4923

Code Behaviors & Features

Detect and mitigate CVE-2026-4923 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →