PT-2026-28675 · Unknown · Path-To-Regexp

Blakeembrey

Publicado

2026-01-01

Atualizado

2026-06-04

CVE-2026-4926

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions path-to-regexp versions prior to 8.4.0

Description A flawed regular expression is created when multiple sequential optional groups (using curly brace syntax) are present, such as {a}{b}{c}:z. The resulting regular expression expands exponentially with the number of groups, potentially leading to a denial of service. Avoid passing user-controlled input as route patterns.

Recommendations Versions prior to 8.4.0 should be updated to version 8.4.0 or later. Limit the number of sequential optional groups in route patterns.

Correção

DoS

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1333CWE-400

Identificadores relacionados

CLEANSTART-2026-AD27625

CLEANSTART-2026-BE61221

CLEANSTART-2026-IS05941

CLEANSTART-2026-KS09647

CLEANSTART-2026-TW25027

CLEANSTART-2026-TZ34913

CVE-2026-4926

GHSA-J3Q9-MXJG-W52F

Produtos afetados

Path-To-Regexp

PT-2026-28675 · Unknown · Path-To-Regexp

CVE-2026-4926

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 267