VYPR

npm package

path-to-regexp

pkg:npm/path-to-regexp

Vulnerabilities (5)

  • CVE-2026-4926HigMar 26, 2026
    affected >= 8.0.0, < 8.4.0fixed 8.4.0

    Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Work

  • CVE-2026-4923MedMar 26, 2026
    affected >= 8.0.0, < 8.4.0fixed 8.4.0

    Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*

  • CVE-2026-4867HigMar 26, 2026
    affected < 0.1.13fixed 0.1.13

    Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu

  • CVE-2024-52798HigDec 5, 2024
    affected < 0.1.12fixed 0.1.12

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path

  • CVE-2024-45296HigSep 9, 2024
    affected >= 0.2.0, < 1.9.0fixed 1.9.0

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will