VulnerableCode Package Details - pkg:npm/path-to-regexp@0.1.13

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-vzcu-mpsr-qbgm	path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters ### Impact A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b-:c` or `/:a-:b-:c-:d`. The backtrack protection added in `path-to-regexp@0.1.12` only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. ### Patches Upgrade to [path-to-regexp@0.1.13](https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13) Custom regex patterns in route definitions (e.g., `/:a-:b([^-/]+)-:c([^-/]+)`) are not affected because they override the default capture group. ### Workarounds All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b-:c` to `/:a-:b([^-/]+)-:c([^-/]+)`. If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. ### References - [GHSA-9wv6-86v2-598j](https://github.com/advisories/GHSA-9wv6-86v2-598j) - [Detailed blog post: ReDoS the web](https://blakeembrey.com/posts/2024-09-web-redos/)	CVE-2026-4867 GHSA-37ch-88jc-xwx2

Vulnerability

Summary

Aliases

VCID-vzcu-mpsr-qbgm

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters ### Impact A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b-:c` or `/:a-:b-:c-:d`. The backtrack protection added in `path-to-regexp@0.1.12` only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. ### Patches Upgrade to [path-to-regexp@0.1.13](https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13) Custom regex patterns in route definitions (e.g., `/:a-:b([^-/]+)-:c([^-/]+)`) are not affected because they override the default capture group. ### Workarounds All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b-:c` to `/:a-:b([^-/]+)-:c([^-/]+)`. If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. ### References - [GHSA-9wv6-86v2-598j](https://github.com/advisories/GHSA-9wv6-86v2-598j) - [Detailed blog post: ReDoS the web](https://blakeembrey.com/posts/2024-09-web-redos/)

CVE-2026-4867
GHSA-37ch-88jc-xwx2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T17:01:31.363520+00:00	GHSA Importer	Fixing	VCID-vzcu-mpsr-qbgm	https://github.com/advisories/GHSA-37ch-88jc-xwx2	38.1.0
2026-04-01T12:53:42.002738+00:00	GithubOSV Importer	Fixing	VCID-vzcu-mpsr-qbgm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-37ch-88jc-xwx2/GHSA-37ch-88jc-xwx2.json	38.0.0

2026-04-02T17:01:31.363520+00:00

GHSA Importer

Fixing

VCID-vzcu-mpsr-qbgm

https://github.com/advisories/GHSA-37ch-88jc-xwx2

38.1.0

2026-04-01T12:53:42.002738+00:00

GithubOSV Importer

Fixing

VCID-vzcu-mpsr-qbgm

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-37ch-88jc-xwx2/GHSA-37ch-88jc-xwx2.json

38.0.0