Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (2)
| Vulnerability |
Summary |
Aliases |
|
VCID-1vjw-mm86-k7gn
|
path-to-regexp vulnerable to Denial of Service via sequential optional groups
### Impact
A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.
### Patches
Fixed in version 8.4.0.
### Workarounds
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
|
CVE-2026-4926
GHSA-j3q9-mxjg-w52f
|
|
VCID-366w-k4rs-v7d3
|
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
### Impact
When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.
**Unsafe examples:**
```
/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y
```
**Safe examples:**
```
/*foo-:bar
/*foo-:bar-*baz
```
### Patches
Upgrade to version `8.4.0`.
### Workarounds
If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
|
CVE-2026-4923
GHSA-27v5-c462-wpq7
|