CVE-2026-4867
Description
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-to-regexpnpm | < 0.1.13 | 0.1.13 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/argo-workflows-ui-3.6pkg:apk/chainguard/argo-workflows-ui-3.7pkg:apk/chainguard/argo-workflows-ui-4.0pkg:apk/chainguard/json-serverpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubescape-grype-offline-dbpkg:apk/chainguard/langfuse-2pkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-fips-2pkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/pelias-apipkg:apk/chainguard/sqlpadpkg:apk/chainguard/thingsboard-tb-js-executor-fipspkg:apk/chainguard/thingsboard-tb-web-ui-fipspkg:apk/wolfi/argo-workflows-ui-3.7pkg:apk/wolfi/argo-workflows-ui-4.0pkg:apk/wolfi/json-serverpkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/sqlpadpkg:npm/path-to-regexp
< 3.6.19-r5+ 21 more
- (no CPE)range: < 3.6.19-r5
- (no CPE)range: < 3.7.12-r2
- (no CPE)range: < 4.0.3-r2
- (no CPE)range: < 0.17.4-r6
- (no CPE)range: < 1.10.0-r18
- (no CPE)range: < 2.16.0-r12
- (no CPE)range: < 0_git20250804-r1
- (no CPE)range: < 2.95.12-r17
- (no CPE)range: < 2.95.12-r17
- (no CPE)range: < 2.95.12-r20
- (no CPE)range: < 2.95.12-r20
- (no CPE)range: < 7.6.0-r5
- (no CPE)range: < 7.5.7-r17
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 3.7.12-r2
- (no CPE)range: < 4.0.3-r2
- (no CPE)range: < 0.17.4-r6
- (no CPE)range: < 1.10.0-r18
- (no CPE)range: < 2.16.0-r12
- (no CPE)range: < 7.5.7-r17
- (no CPE)range: < 0.1.13
Patches
Vulnerability mechanics
References
7- cna.openjsf.org/security-advisories.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-37ch-88jc-xwx2ghsaADVISORY
- github.com/advisories/GHSA-9wv6-86v2-598jnvdNot ApplicableADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4867ghsaADVISORY
- blakeembrey.com/posts/2024-09-web-redosnvdTechnical DescriptionWEB
- github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13ghsaWEB
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2ghsaWEB
News mentions
0No linked articles in our index yet.