CVE-2026-4867
Received Received - Intake
Catastrophic Backtracking in path-to-regexp Causes DoS Risk

Publication date: 2026-03-26

Last updated on: 2026-04-16

Assigner: openjs

Description
Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in [email protected] only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. Patches: Upgrade to [email protected] Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group. Workarounds: All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4867
EUVD
EUVD-2026-16273
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pillarjs path-to-regexp to 0.1.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4867 is a Regular Expression Denial of Service (ReDoS) vulnerability in the path-to-regexp library, which is commonly used in JavaScript frameworks like Express.js and Next.js for routing.

The vulnerability occurs when a route contains three or more parameters within a single URL segment separated by characters other than a period (e.g., /:a-:b-:c). The generated regular expression allows catastrophic backtracking because the backtrack protection only covers up to two parameters.

This happens because the regex engine tries many overlapping matches due to ambiguous capture groups and lazy quantifiers, causing excessive CPU usage and slow response times when processing crafted inputs.

Routes with custom regex patterns for parameters are not affected because they override the default capture groups.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by making the server spend excessive CPU time processing specially crafted URL paths.

Because JavaScript regex matching runs on the main thread, the excessive backtracking can block the event loop, leading to severe performance degradation and unresponsiveness.

  • Latency can increase from under 1 millisecond to hundreds of milliseconds or more under attack.
  • This can effectively make the affected web application unavailable to legitimate users.

The impact is availability-related, with no direct confidentiality or integrity loss.

Detection Guidance

This vulnerability can be detected by identifying routes in your application that contain three or more parameters within a single URL segment separated by characters other than a period (e.g., /:a-:b-:c). Such routes generate vulnerable regular expressions prone to catastrophic backtracking.

To detect exploitation attempts on your network or system, monitor for unusually long or malformed URL paths that match these vulnerable route patterns, especially those with repeated separator characters (like multiple hyphens) followed by unmatched characters, which cause excessive regex backtracking and CPU usage.

While no specific commands are provided in the resources, you can use network monitoring tools or application logs to filter requests matching suspicious URL patterns, such as those with repeated separator characters or abnormally long path segments.

Additionally, resources like the Recheck playground mentioned by the maintainer can be used to test if your routes are vulnerable by simulating crafted inputs that trigger the regex backtracking.

Mitigation Strategies

The primary mitigation is to upgrade the path-to-regexp library to version 0.1.13 or later, where patches prevent catastrophic backtracking by generating safer regular expressions.

If upgrading is not immediately possible, you can apply workarounds by providing custom regular expressions for parameters after the first in a single segment, ensuring these regexes do not match preceding text. For example, change routes like /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

Another mitigation is to limit the URL length accepted by your application to reduce the impact of crafted long inputs that trigger excessive backtracking.

Users unable to upgrade or rewrite routes are encouraged to contact the maintainer for tailored mitigation advice, acknowledging that some fixes may break edge-case routes due to trade-offs between compatibility and security.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4867. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart