[Pkg-javascript-devel] Bug#1132020: node-path-to-regexp: CVE-2026-4867 CVE-2026-4923 CVE-2026-4926

Salvatore Bonaccorso carnil at debian.org
Fri Mar 27 05:33:13 GMT 2026 

Source: node-path-to-regexp
Version: 8.3.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for node-path-to-regexp.

CVE-2026-4867[0]:
| Impact:  A bad regular expression is generated any time you have
| three or more parameters within a single segment, separated by
| something that is not a period (.). For example, /:a-:b-:c or
| /:a-:b-:c-:d. The backtrack protection added in path-to-
| regexp at 0.1.12 only prevents ambiguity for two parameters. With three
| or more, the generated lookahead does not block single separator
| characters, so capture groups overlap and cause catastrophic
| backtracking.  Patches:  Upgrade to path-to-regexp at 0.1.13  Custom
| regex patterns in route definitions (e.g.,
| /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override
| the default capture group.  Workarounds:  All versions can be
| patched by providing a custom regular expression for parameters
| after the first in a single segment. As long as the custom regular
| expression does not match the text before the parameter, you will be
| safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
| If paths cannot be rewritten and versions cannot be upgraded,
| another alternative is to limit the URL length.


CVE-2026-4923[1]:
| Impact:  When using multiple wildcards, combined with at least one
| parameter, a regular expression can be generated that is vulnerable
| to ReDoS. This backtracking vulnerability requires the second
| wildcard to be somewhere other than the end of the path.  Unsafe
| examples:  /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y  Safe
| examples:  /*foo-:bar /*foo-:bar-*baz  Patches:  Upgrade to version
| 8.4.0.  Workarounds:  If you are using multiple wildcard parameters,
| you can check the regex output with a tool such as
| https://makenowjust-labs.github.io/recheck/playground/ to confirm
| whether a path is vulnerable.


CVE-2026-4926[2]:
| Impact:  A bad regular expression is generated any time you have
| multiple sequential optional groups (curly brace syntax), such as
| `{a}{b}{c}:z`. The generated regex grows exponentially with the
| number of groups, causing denial of service.  Patches:  Fixed in
| version 8.4.0.  Workarounds:  Limit the number of sequential
| optional groups in route patterns. Avoid passing user-controlled
| input as route patterns.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-4867
    https://www.cve.org/CVERecord?id=CVE-2026-4867
    https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2
[1] https://security-tracker.debian.org/tracker/CVE-2026-4923
    https://www.cve.org/CVERecord?id=CVE-2026-4923
    https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7
[2] https://security-tracker.debian.org/tracker/CVE-2026-4926
    https://www.cve.org/CVERecord?id=CVE-2026-4926
    https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-javascript-devel mailing list