CVE-2026-4923
Description
Impact:
When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.
Unsafe examples:
/*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y
Safe examples:
/*foo-:bar /*foo-:bar-*baz
Patches:
Upgrade to version 8.4.0.
Workarounds:
If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-to-regexpnpm | >= 8.0.0, < 8.4.0 | 8.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- cna.openjsf.org/security-advisories.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-27v5-c462-wpq7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4923ghsaADVISORY
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7ghsaWEB
- makenowjust-labs.github.io/recheck/playgroundghsaWEB
News mentions
0No linked articles in our index yet.