DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-4926: CVE-2026-4926: Regular Expression Denial of Service in pillarjs path-to-regexp

#security #cve #cybersecurity

CVE-2026-4926: Regular Expression Denial of Service in pillarjs path-to-regexp

Vulnerability ID: CVE-2026-4926
CVSS Score: 7.5
Published: 2026-03-27

The path-to-regexp library versions 8.0.0 through 8.3.0 suffer from a high-severity Regular Expression Denial of Service (ReDoS) vulnerability. This flaw stems from an exponential combinatorial explosion when parsing sequential optional groups, leading to severe CPU and memory exhaustion.

TL;DR

CVE-2026-4926 is a ReDoS flaw in path-to-regexp (v8.0.0-8.3.0) causing CPU and memory exhaustion via exponential expansion of optional groups. Upgrading to 8.4.0 resolves the issue via trie-based deduplication and a hard permutation limit.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-1333 / CWE-400
  • Attack Vector: Network
  • CVSS: 7.5 (High)
  • EPSS Score: 0.0004 (12.15%)
  • Impact: Availability (Denial of Service)
  • Exploit Status: Proof of Concept available
  • KEV Status: Not Listed

Affected Systems

  • Node.js applications using path-to-regexp versions 8.0.0 through 8.3.0
  • Express.js ecosystem relying on vulnerable versions
  • Koa ecosystem relying on vulnerable versions
  • path-to-regexp: >= 8.0.0, <= 8.3.0 (Fixed in: 8.4.0)

Code Analysis

Commit: 43669ac

Introduced a trie-based deduplication strategy to merge common prefixes and prevent exponential memory consumption.

Commit: 22a9679

Implemented a hard limit of 256 path combinations to prevent algorithmic exhaustion.

Exploit Details

  • Research Report: Proof of concept demonstrating exponential resource consumption using sequential optional groups.

Mitigation Strategies

  • Upgrade path-to-regexp to version 8.4.0 or later.
  • Avoid passing user-controlled input to route definition functions.
  • Limit the use of complex sequential optional groups in static routes.
  • Implement strict input validation on all dynamic routing parameters.
  • Integrate ReDoS detection tools like recheck into the CI/CD pipeline.

Remediation Steps:

  1. Audit application dependencies using npm audit or yarn audit to identify vulnerable versions of path-to-regexp.
  2. Update package.json and lockfiles to force resolution of path-to-regexp to >=8.4.0.
  3. Review source code for dynamic route generation that incorporates user input.
  4. Refactor complex routes utilizing sequential optional brackets {} into discrete, explicit route definitions.
  5. Deploy the updated application and monitor CPU and memory utilization metrics.

References

Read the full report for CVE-2026-4926 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)