CVE-2026-4923
Denial of Service vulnerability in path-to-regexp (npm)
What is CVE-2026-4923 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) that occurs when specific patterns containing multiple wildcards and parameters are used in path regular expressions. An attacker can craft inputs that cause excessive backtracking in the regex engine, leading to a denial of service. The ease of exploitation depends on the complexity of the regex and the attacker's ability to identify suitable input patterns.
Affected Software
Technical Details
The vulnerability arises from the generation of regular expressions containing specific patterns: multiple wildcards (*) combined with at least one parameter (:), where the second wildcard is not at the end of the path. This specific structure, such as /*foo-*bar-:baz or /*a-:b-*c-:d, can create a regex that is highly susceptible to catastrophic backtracking when processing certain input strings. When a malicious input string triggers this pathological behavior, the regular expression engine consumes excessive CPU resources to evaluate the pattern, leading to a significant performance degradation or an outright denial of service for the application relying on that regex matching.
What is the Impact of CVE-2026-4923?
Successful exploitation may allow attackers to cause the application to become unresponsive or consume excessive resources, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2026-4923?
Exploitation characteristics involve crafting a specific input string that triggers the ReDoS condition in the dynamically generated regular expression. The attacker needs to identify the vulnerable path patterns that exist within the application. No authentication is required, and exploitation is typically remote, as it involves sending a specially crafted request. The complexity is medium, as it requires knowledge of regex backtracking and the specific patterns used by the application, but it does not require special conditions beyond sending the crafted input. Increased risk factors include applications that accept user-supplied input for path matching or routing rules.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-4923?
Available Upgrade Options
- path-to-regexp
- >=8.0.0, <8.4.0 → Upgrade to 8.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2026-4923
- https://osv.dev/vulnerability/GHSA-27v5-c462-wpq7
- https://github.com/pillarjs/path-to-regexp
- https://cna.openjsf.org/security-advisories.html
- https://makenowjust-labs.github.io/recheck/playground
- https://cna.openjsf.org/security-advisories.html
- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7
What are Similar Vulnerabilities to CVE-2026-4923?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-28156 , CVE-2022-2900 , CVE-2021-3918 , CVE-2020-28500
