{"ecosystem":"npm","package":"path-to-regexp","version":null,"bugs":[{"id":325,"ecosystem":"npm","package_name":"path-to-regexp","affected_version":null,"fixed_version":"0.1.12","bug_id":"osv:GHSA-rhx6-c78j-4q9w","title":"path-to-regexp contains a ReDoS","description":"### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w","labels":["CVE-2024-52798"],"created_at":"2026-04-19T04:31:15.272460+00:00","updated_at":"2026-04-19T04:31:15.272460+00:00"},{"id":324,"ecosystem":"npm","package_name":"path-to-regexp","affected_version":"8.0.0","fixed_version":"8.4.0","bug_id":"osv:GHSA-j3q9-mxjg-w52f","title":"path-to-regexp vulnerable to Denial of Service via sequential optional groups","description":"### Impact\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\n### Patches\n\nFixed in version 8.4.0.\n\n### Workarounds\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f","labels":["CVE-2026-4926"],"created_at":"2026-04-19T04:31:15.271918+00:00","updated_at":"2026-04-19T04:31:15.271918+00:00"},{"id":323,"ecosystem":"npm","package_name":"path-to-regexp","affected_version":"0.2.0","fixed_version":"1.9.0","bug_id":"osv:GHSA-9wv6-86v2-598j","title":"path-to-regexp outputs backtracking regular expressions","description":"### Impact\n\nA bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.\n\nThese versions add backtrack protection when a custom regex pattern is not provided:\n\n- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)\n- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)\n- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)\n- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)\n\nThey do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.\n\nVersion [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.\n\nVersion [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nUsing `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j","labels":["CVE-2024-45296"],"created_at":"2026-04-19T04:31:15.271433+00:00","updated_at":"2026-04-19T04:31:15.271433+00:00"},{"id":322,"ecosystem":"npm","package_name":"path-to-regexp","affected_version":null,"fixed_version":"0.1.13","bug_id":"osv:GHSA-37ch-88jc-xwx2","title":"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters","description":"### Impact\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b-:c` or `/:a-:b-:c-:d`. The backtrack protection added in `path-to-regexp@0.1.12` only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\n### Patches\n\nUpgrade to [path-to-regexp@0.1.13](https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13)\n\nCustom regex patterns in route definitions (e.g., `/:a-:b([^-/]+)-:c([^-/]+)`) are not affected because they override the default capture group.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b-:c` to `/:a-:b([^-/]+)-:c([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.\n\n### References\n\n- [GHSA-9wv6-86v2-598j](https://github.com/advisories/GHSA-9wv6-86v2-598j)\n- [Detailed blog post: ReDoS the web](https://blakeembrey.com/posts/2024-09-web-redos/)","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2","labels":["CVE-2026-4867"],"created_at":"2026-04-19T04:31:15.270955+00:00","updated_at":"2026-04-19T04:31:15.270955+00:00"},{"id":321,"ecosystem":"npm","package_name":"path-to-regexp","affected_version":"8.0.0","fixed_version":"8.4.0","bug_id":"osv:GHSA-27v5-c462-wpq7","title":"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards","description":"### Impact\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\n**Unsafe examples:**\n\n```\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n```\n\n**Safe examples:**\n\n```\n/*foo-:bar\n/*foo-:bar-*baz\n```\n\n### Patches\n\nUpgrade to version `8.4.0`.\n\n### Workarounds\n\nIf developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7","labels":["CVE-2026-4923"],"created_at":"2026-04-19T04:31:15.269913+00:00","updated_at":"2026-04-19T04:31:15.269913+00:00"}],"total":5,"_cache":"miss"}