Fluid Attacks Database

Description

path-to-regexp vulnerable to Denial of Service via sequential optional groups

Impact

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches

Fixed in version 8.4.0.

Workarounds

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-path-to-regexp	=6.2.1-1 \|\| =6.3.0-1 \|\| =8.3.0-1 \|\| =8.4.0-1 \|\| =8.4.1-1	-
debian 14	node-path-to-regexp	=6.3.0-1 \|\| =8.3.0-1 \|\| >=0 <8.4.0-1	8.4.0-1
debian 11	node-path-to-regexp	=6.2.0-1 \|\| =6.2.0-2 \|\| =6.2.0-3 \|\| =6.2.1-1 \|\| =6.3.0-1 \|\| =8.3.0-1 \|\| =8.4.0-1 \|\| =8.4.1-1	-
debian 13	node-path-to-regexp	=6.3.0-1 \|\| =8.3.0-1 \|\| =8.4.0-1 \|\| =8.4.1-1	-
npm	path-to-regexp	>=8.0.0 <8.4.0	8.4.0
rpm rhel9	gjs	-	-

Aliases

1. CVE-2026-49262. NVD-2026-49263. OSV-DEBIAN-2026-49264. OSV-2026-49265. GHSA-j3q9-mxjg-w52f6. GCVE-2026-49267. SECURITY-TRACKER-CVE-2026-4926

References

1. https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f2. https://cna.openjsf.org/security-advisories.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.