VYPR
High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Apr 16, 2026

CVE-2026-4926

CVE-2026-4926

Description

Impact:

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches:

Fixed in version 8.4.0.

Workarounds:

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
path-to-regexpnpm
>= 8.0.0, < 8.4.08.4.0

Affected products

29

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.