{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4926", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-26T18:36:49.229Z", "datePublished": "2026-03-26T18:59:38.000Z", "dateUpdated": "2026-03-27T19:44:53.294Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-26T18:59:38.000Z"}, "descriptions": [{"lang": "en", "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns."}]}], "affected": [{"vendor": "path-to-regexp", "product": "path-to-regexp", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.4.0"}, {"versionType": "semver", "status": "unaffected", "version": "8.4.0"}], "packageURL": "pkg:npm/path-to-regexp"}], "references": [{"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "reporter", "value": "uug4na"}, {"lang": "en", "type": "remediation developer", "value": "blakeembrey"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}], "title": "path-to-regexp vulnerable to Denial of Service via sequential optional groups", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:44:44.790485Z", "id": "CVE-2026-4926", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:44:53.294Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns."}], "id": "CVE-2026-4926", "lastModified": "2026-03-26T19:17:08.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-03-26T19:17:08.387", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.4.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "8.4.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "path-to-regexp", "source": "cna", "vendor": "path-to-regexp"}, "product": "path-to-regexp", "vendor": "path-to-regexp"}], "analysis": {"en": {"generated_at": "2026-03-26T20:35:51.074535+00:00", "value": {"mitigation_remediation": ["Upgrade the path-to-regexp package to version 8.4.0 or later.", "Reduce the number of sequential optional groups in all route patterns.", "Avoid using user-provided data directly to build route patterns; validate or sanitize input before use.", "Monitor application performance for signs of regex compilation delays or high CPU usage.", "Apply temporary throttling or circuit-breaking mechanisms to mitigate denial of service attacks."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the path-to-regexp package, a JavaScript routing utility used in many web frameworks. Any deployment using a version prior to 8.4.0 is susceptible, especially when route definitions include more than one consecutive optional group. Products that embed path-to-regexp directly or indirectly must verify the version they are running.", "description_and_impact": "A misuse of the regular expression engine in the path-to-regexp library causes a denial of service when route patterns contain multiple sequential optional groups. The algorithm that transforms these patterns into a regular expression expands exponentially as more optional groups are added, which can overload the server with time to compile or match the pattern. This weakness reduces the availability of applications that rely on path-to-regexp for routing.", "risk_and_exploitability": "With a CVSS score of 7.5 the risk is moderate to high. Exploitation requires crafting a route pattern with sequential optional groups, which is feasible if the application author uses dynamic route construction from user input. Attackers can trigger CPU exhaustion by repeatedly accessing such URLs, leading to denial of service. Because the EPSS score is unavailable, the probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog, but the severity remains significant for exposed applications."}}}}, "created": "2026-03-27T08:33:19.313377+00:00", "updated": "2026-03-27T09:25:40.044036+00:00", "vendors": ["path-to-regexp", "path-to-regexp$PRODUCT$path-to-regexp"]}