CVE-2026-4867

Name of the Vulnerable Software and Affected Versions path-to-regexp versions prior to 0.1.13

Description A flawed regular expression is generated when three or more parameters are present within a single segment, separated by characters other than a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection introduced in path-to-regexp@0.1.12 only addresses ambiguity for two parameters. With three or more parameters, the generated lookahead does not prevent single separator characters from causing capture groups to overlap, leading to catastrophic backtracking. Custom regular expression patterns defined in route definitions, such as /:a-:b([^-/]+)-:c([^-/]+), are not affected as they override the default capture group.

Recommendations Upgrade to path-to-regexp@0.1.13. As a workaround, provide a custom regular expression for parameters after the first in a single segment, ensuring it does not match the text preceding the parameter. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, limit the URL length.