CVE-2026-4923

Name of the Vulnerable Software and Affected Versions path-to-regexp versions prior to 8.4.0

Description The software is susceptible to a Regular Expression Denial of Service (ReDoS) condition when handling multiple wildcard characters combined with at least one parameter. This issue arises because the generated regular expression can lead to excessive backtracking when the second wildcard is not at the end of the path. Unsafe examples include '/*foo-*bar-:baz', '/*a-:b-*c-:d', and '/x/*a-:b/*c/y'. Safe examples include '/*foo-:bar' and '/*foo-:bar-*baz'. ReDoS is a type of attack where a carefully crafted input causes the regular expression engine to take an extremely long time to process, potentially leading to a denial of service.

Recommendations Versions prior to 8.4.0 should be upgraded to version 8.4.0. If using multiple wildcard parameters, check the regex output with a tool to confirm whether a path is vulnerable.