CVE-2026-4926
Exponential Regex DoS via Sequential Optional Groups in Routing
Publication date: 2026-03-26
Last updated on: 2026-04-16
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pillarjs | path-to-regexp | From 8.0.0 (inc) to 8.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from the use of multiple sequential optional groups in route patterns, which generate a bad regular expression causing denial of service.
Detection involves inspecting route patterns or regular expressions in your system or application code to identify multiple sequential optional groups using curly brace syntax, such as `{a}{b}{c}:z`.
Since no specific detection commands or tools are provided, a practical approach is to search your codebase or configuration files for patterns matching multiple sequential optional groups.
- Use grep or similar tools to find route patterns with multiple sequential optional groups, for example: `grep -E '\{[^}]+\}\{[^}]+\}\{[^}]+\}' -r /path/to/your/code`
- Review logs or monitoring tools for signs of denial of service or performance degradation that could be caused by this regex issue.
Can you explain this vulnerability to me?
This vulnerability occurs when multiple sequential optional groups are used in a regular expression pattern, such as {a}{b}{c}:z. The resulting regular expression grows exponentially in complexity with the number of these groups, which can cause a denial of service.
How can this vulnerability impact me? :
The vulnerability can lead to a denial of service (DoS) condition because the generated regular expression becomes exponentially large and resource-intensive to process.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade to version 8.4.0 or later where the issue is fixed.
As a workaround, limit the number of sequential optional groups in route patterns and avoid passing user-controlled input as route patterns.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service due to exponential growth in regular expression processing when multiple sequential optional groups are used. It does not directly impact confidentiality, integrity, or availability of data beyond causing service disruption.
Since the vulnerability does not involve unauthorized access to or disclosure of personal or sensitive data, it does not directly affect compliance with standards like GDPR or HIPAA, which focus on data protection and privacy.
However, denial of service incidents can indirectly affect availability requirements under such regulations, potentially impacting service reliability commitments.