GHSA-27v5-c462-wpq7

Source

https://github.com/advisories/GHSA-27v5-c462-wpq7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-27v5-c462-wpq7/GHSA-27v5-c462-wpq7.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-27v5-c462-wpq7

Aliases

CVE-2026-4923

Published

2026-03-27T22:23:52Z

Modified

2026-03-27T22:35:44.555368Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

Details

Impact

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches

Upgrade to version 8.4.0.

Workarounds

If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

Database specific

{
    "github_reviewed_at": "2026-03-27T22:23:52Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1333"
    ],
    "nvd_published_at": "2026-03-26T19:17:08Z"
}

References

Affected packages

npm / path-to-regexp

Package

Name: path-to-regexp; View open source insights on deps.dev
Purl: pkg:npm/path-to-regexp

Affected ranges

Type: SEMVER
Events: Introduced

8.0.0

Fixed

8.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-27v5-c462-wpq7/GHSA-27v5-c462-wpq7.json"