VulnerableCode Package Details - pkg:npm/path-to-regexp@8.4.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1vjw-mm86-k7gn	path-to-regexp vulnerable to Denial of Service via sequential optional groups ### Impact A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. ### Patches Fixed in version 8.4.0. ### Workarounds Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.	CVE-2026-4926 GHSA-j3q9-mxjg-w52f
VCID-366w-k4rs-v7d3	path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards ### Impact When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: ``` /foo-bar-:baz /a-:b-c-:d /x/a-:b/c/y ``` Safe examples: ``` /foo-:bar /foo-:bar-*baz ``` ### Patches Upgrade to version `8.4.0`. ### Workarounds If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.	CVE-2026-4923 GHSA-27v5-c462-wpq7

Vulnerability

Summary

Aliases

VCID-1vjw-mm86-k7gn

path-to-regexp vulnerable to Denial of Service via sequential optional groups ### Impact A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. ### Patches Fixed in version 8.4.0. ### Workarounds Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

CVE-2026-4926
GHSA-j3q9-mxjg-w52f

VCID-366w-k4rs-v7d3

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards ### Impact When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. **Unsafe examples:** ``` /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y ``` **Safe examples:** ``` /*foo-:bar /*foo-:bar-*baz ``` ### Patches Upgrade to version `8.4.0`. ### Workarounds If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

CVE-2026-4923
GHSA-27v5-c462-wpq7

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T17:01:31.743011+00:00	GHSA Importer	Fixing	VCID-366w-k4rs-v7d3	https://github.com/advisories/GHSA-27v5-c462-wpq7	38.1.0
2026-04-02T17:01:31.711378+00:00	GHSA Importer	Fixing	VCID-1vjw-mm86-k7gn	https://github.com/advisories/GHSA-j3q9-mxjg-w52f	38.1.0
2026-04-01T12:54:02.539552+00:00	GithubOSV Importer	Fixing	VCID-366w-k4rs-v7d3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-27v5-c462-wpq7/GHSA-27v5-c462-wpq7.json	38.0.0
2026-04-01T12:53:21.272658+00:00	GithubOSV Importer	Fixing	VCID-1vjw-mm86-k7gn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-j3q9-mxjg-w52f/GHSA-j3q9-mxjg-w52f.json	38.0.0