High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Apr 16, 2026
CVE-2026-4926
CVE-2026-4926
Description
Impact:
A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.
Patches:
Fixed in version 8.4.0.
Workarounds:
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-to-regexpnpm | >= 8.0.0, < 8.4.0 | 8.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- cna.openjsf.org/security-advisories.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-j3q9-mxjg-w52fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4926ghsaADVISORY
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52fghsaWEB
News mentions
0No linked articles in our index yet.