CVE-2026-4926
Received Received - Intake
Exponential Regex DoS via Sequential Optional Groups in Routing

Publication date: 2026-03-26

Last updated on: 2026-04-16

Assigner: openjs

Description
Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4926
EUVD
EUVD-2026-16324
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pillarjs path-to-regexp From 8.0.0 (inc) to 8.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability arises from the use of multiple sequential optional groups in route patterns, which generate a bad regular expression causing denial of service.

Detection involves inspecting route patterns or regular expressions in your system or application code to identify multiple sequential optional groups using curly brace syntax, such as `{a}{b}{c}:z`.

Since no specific detection commands or tools are provided, a practical approach is to search your codebase or configuration files for patterns matching multiple sequential optional groups.

  • Use grep or similar tools to find route patterns with multiple sequential optional groups, for example: `grep -E '\{[^}]+\}\{[^}]+\}\{[^}]+\}' -r /path/to/your/code`
  • Review logs or monitoring tools for signs of denial of service or performance degradation that could be caused by this regex issue.
Executive Summary

This vulnerability occurs when multiple sequential optional groups are used in a regular expression pattern, such as {a}{b}{c}:z. The resulting regular expression grows exponentially in complexity with the number of these groups, which can cause a denial of service.

Impact Analysis

The vulnerability can lead to a denial of service (DoS) condition because the generated regular expression becomes exponentially large and resource-intensive to process.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade to version 8.4.0 or later where the issue is fixed.

As a workaround, limit the number of sequential optional groups in route patterns and avoid passing user-controlled input as route patterns.

Compliance Impact

The vulnerability causes a denial of service due to exponential growth in regular expression processing when multiple sequential optional groups are used. It does not directly impact confidentiality, integrity, or availability of data beyond causing service disruption.

Since the vulnerability does not involve unauthorized access to or disclosure of personal or sensitive data, it does not directly affect compliance with standards like GDPR or HIPAA, which focus on data protection and privacy.

However, denial of service incidents can indirectly affect availability requirements under such regulations, potentially impacting service reliability commitments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4926. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart