{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4923", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-26T18:05:44.717Z", "datePublished": "2026-03-26T19:02:00.729Z", "dateUpdated": "2026-03-27T13:58:03.925Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-26T19:02:00.729Z"}, "descriptions": [{"lang": "en", "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable."}]}], "affected": [{"vendor": "path-to-regexp", "product": "path-to-regexp", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.4.0"}, {"versionType": "semver", "status": "unaffected", "version": "8.4.0"}], "packageURL": "pkg:npm/path-to-regexp"}], "references": [{"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "remediation developer", "value": "blakeembrey"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}], "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:46:47.360477Z", "id": "CVE-2026-4923", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:58:03.925Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards", "credits": [{"lang": "en", "type": "remediation developer", "value": "blakeembrey"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "path-to-regexp", "product": "path-to-regexp", "versions": [{"status": "affected", "version": "8.0.0", "lessThan": "8.4.0", "versionType": "semver"}, {"status": "unaffected", "version": "8.4.0", "versionType": "semver"}], "packageURL": "pkg:npm/path-to-regexp", "defaultStatus": "unaffected"}], "references": [{"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.", "supportingMedia": [{"type": "text/html", "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-26T19:02:00.729Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:46:47.360477Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T13:46:51.745Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-4923", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:02:00.729Z", "dateReserved": "2026-03-26T18:05:44.717Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-03-26T19:02:00.729Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable."}], "id": "CVE-2026-4923", "lastModified": "2026-03-26T19:17:08.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-03-26T19:17:08.187", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.4.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "8.4.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "path-to-regexp", "source": "cna", "vendor": "path-to-regexp"}, "product": "path-to-regexp", "vendor": "path-to-regexp"}], "analysis": {"en": {"generated_at": "2026-03-26T20:35:39.165556+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading path-to-regexp to version 8.4.0 or later", "If upgrading is not immediately possible, use a regex checking tool such as https://makenowjust-labs.github.io/recheck/playground/ to review generated regexes for paths with multiple wildcards", "Avoid or limit the use of multiple wildcard parameters within routing definitions to prevent construction of vulnerable patterns"], "summary": {"action": "Patch", "impact": "Regular Expression Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected component is the path-to-regexp library, an npm package used for routing in JavaScript applications. All versions before the 8.4.0 release are vulnerable. The library is commonly embedded in web frameworks that build request routing patterns, so any application that includes a vulnerable version of path-to-regexp is at risk.", "description_and_impact": "The vulnerability allows an attacker to trigger a regular expression backtracking condition by crafting a path that contains multiple wildcards together with at least one parameter. The resulting regular expression can consume excessive CPU resources, leading to a denial of service for the application without providing any other direct compromise. The weakness is classified as Date Regular Expression Denial of Service (CWE-1333).", "risk_and_exploitability": "The CVSS score of 5.9 indicates a medium severity impact. No EPSS score is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no publicly known exploits yet. The likely attack vector is an HTTP request containing a specially crafted URL that triggers the inefficient regular expression during routing. Because the vulnerability only affects internal pattern matching, remediation typically involves updating the dependency or avoiding multiple wildcard parameters in routes."}}}}, "created": "2026-03-27T08:33:17.550295+00:00", "updated": "2026-03-27T09:25:37.750391+00:00", "vendors": ["path-to-regexp", "path-to-regexp$PRODUCT$path-to-regexp"]}