Fluid Attacks Database

Description

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

Impact

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches

Upgrade to version 8.4.0.

Workarounds

If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel8	pcs	-	-
debian 12	node-path-to-regexp	=6.2.1-1 \|\| =6.3.0-1 \|\| =8.3.0-1 \|\| =8.4.0-1 \|\| =8.4.1-1	-
rpm rhel8	mozjs60	-	-
rpm rhel10	linux-sgx	-	-
rpm rhel9	gjs	-	-
debian 13	node-path-to-regexp	=6.3.0-1 \|\| =8.3.0-1 \|\| =8.4.0-1 \|\| =8.4.1-1	-
debian 11	node-path-to-regexp	=6.2.0-1 \|\| =6.2.0-2 \|\| =6.2.0-3 \|\| =6.2.1-1 \|\| =6.3.0-1 \|\| =8.3.0-1 \|\| =8.4.0-1 \|\| =8.4.1-1	-
debian 14	node-path-to-regexp	=6.3.0-1 \|\| =8.3.0-1 \|\| >=0 <8.4.0-1	8.4.0-1
npm	path-to-regexp	>=8.0.0 <8.4.0	8.4.0
rpm rhel9	linux-sgx	-	-

1-10 of 11

Aliases

1. CVE-2026-49232. NVD-2026-49233. OSV-2026-49234. OSV-DEBIAN-2026-49235. GHSA-27v5-c462-wpq76. GCVE-2026-49237. SECURITY-TRACKER-CVE-2026-4923

References

1. https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq72. https://cna.openjsf.org/security-advisories.html3. https://makenowjust-labs.github.io/recheck/playground