GHSA-j3q9-mxjg-w52f

Source

https://github.com/advisories/GHSA-j3q9-mxjg-w52f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-j3q9-mxjg-w52f/GHSA-j3q9-mxjg-w52f.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-j3q9-mxjg-w52f

Aliases

CVE-2026-4926

Related

CGA-4rwm-wmf3-xv3m

Published

2026-03-27T22:23:27Z

Modified

2026-03-30T23:29:06.961732643Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

path-to-regexp vulnerable to Denial of Service via sequential optional groups

Details

Impact

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches

Fixed in version 8.4.0.

Workarounds

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-03-26T19:17:08Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-1333",
        "CWE-400"
    ],
    "github_reviewed_at": "2026-03-27T22:23:27Z"
}

References

Affected packages

npm / path-to-regexp

Package

Name: path-to-regexp; View open source insights on deps.dev
Purl: pkg:npm/path-to-regexp

Affected ranges

Type: SEMVER
Events: Introduced

8.0.0

Fixed

8.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-j3q9-mxjg-w52f/GHSA-j3q9-mxjg-w52f.json"