CVE-2026-4923
Description
Impact:
When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.
Unsafe examples:
/*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y
Safe examples:
/*foo-:bar /*foo-:bar-*baz
Patches:
Upgrade to version 8.4.0.
Workarounds:
If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-to-regexpnpm | >= 8.0.0, < 8.4.0 | 8.4.0 |
Affected products
32- osv-coords31 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/gemini-clipkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/redisinsightpkg:apk/chainguard/safpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/chainguard/wazuh-dashboardpkg:apk/wolfi/code-serverpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/safpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-web-uipkg:apk/wolfi/tileserver-glpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/path-to-regexp
< 4.112.0-r2+ 30 more
- (no CPE)range: < 4.112.0-r2
- (no CPE)range: < 0.35.3-r0
- (no CPE)range: < 9.1.10-r12
- (no CPE)range: < 9.1.10-r12
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 9.3.3-r4
- (no CPE)range: < 3.179.1-r3
- (no CPE)range: < 3.179.1-r2
- (no CPE)range: < 2.19.5-r6
- (no CPE)range: < 2.19.5-r5
- (no CPE)range: < 3.2.0-r4
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 22.0.4-r9
- (no CPE)range: < 23.0.3-r12
- (no CPE)range: < 4.14.4-r1
- (no CPE)range: < 4.112.0-r2
- (no CPE)range: < 3.179.1-r3
- (no CPE)range: < 2.19.5-r6
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 5.5.0-r12
- (no CPE)range: < 22.0.4-r9
- (no CPE)range: < 23.0.3-r12
- (no CPE)range: >= 8.0.0, < 8.4.0
Patches
Vulnerability mechanics
References
5- cna.openjsf.org/security-advisories.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-27v5-c462-wpq7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4923ghsaADVISORY
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7ghsaWEB
- makenowjust-labs.github.io/recheck/playgroundghsaWEB
News mentions
0No linked articles in our index yet.