CVE-2026-4923: CVE-2026-4923: Regular Expression Denial of Service (ReDoS) in path-to-regexp

CVE-2026-4923: Regular Expression Denial of Service (ReDoS) in path-to-regexp

Vulnerability ID: CVE-2026-4923
CVSS Score: 5.9
Published: 2026-03-27

The path-to-regexp library, commonly utilized by Node.js frameworks like Express.js for routing, contains a Regular Expression Denial of Service (ReDoS) vulnerability in versions 8.0.0 through 8.3.0. The flaw is triggered when processing specific route patterns containing multiple wildcards, leading to CPU exhaustion and application downtime.

TL;DR

A ReDoS vulnerability in path-to-regexp >= 8.0.0 and < 8.4.0 allows attackers to cause a Denial of Service by sending crafted paths to applications utilizing complex multi-wildcard routing patterns.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-1333
• Attack Vector: Network
• CVSS Score: 5.9 (Medium)
• EPSS Score: 0.0004 (0.04%)
• Impact: High Availability (DoS)
• Exploit Status: None (PoC available)
• CISA KEV: Not Listed

Affected Systems

• Node.js Applications
• Express.js Framework Deployments
• Applications utilizing path-to-regexp >= 8.0.0, < 8.4.0
• path-to-regexp: >= 8.0.0, < 8.4.0 (Fixed in: 8.4.0)

Code Analysis

Commit: 43669ac

Switch to non-greedy quantifiers and implement SourceNode trie deduplication to mitigate ReDoS.

Commit: 22a9679

Introduce a hard combinatorial limit of 256 paths to prevent complex route generation.

Exploit Details

• Researcher Configuration: PoC methodology demonstrating failure conditions in wildcard sequence parsing.

Mitigation Strategies

• Upgrade path-to-regexp to version 8.4.0
• Refactor route patterns to avoid multiple non-terminal wildcards
• Implement URL length validation at the WAF or application layer
• Monitor Node.js event loop lag and CPU utilization

Remediation Steps:

1. Run 'npm list path-to-regexp' to identify vulnerable dependencies.
2. Update package.json to require path-to-regexp@^8.4.0.
3. Execute 'npm update path-to-regexp' or utilize dependency resolution overrides to force transitive upgrades.
4. Audit existing route definitions for the pattern '/*a-*b-:c' and refactor them.
5. Deploy WAF rules limiting the maximum length of request URIs.

References

• CVE Record: CVE-2026-4923
• NVD Detail: CVE-2026-4923
• OpenJS Security Advisory
• GitHub Repository: path-to-regexp
• GHSA Advisory: GHSA-27v5-c462-wpq7

---

Read the full report for CVE-2026-4923 on our website for more details including interactive diagrams and full exploit analysis.