Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-j3q9-mxjg-w52f

Опубликовано: 27 мар. 2026
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

path-to-regexp vulnerable to Denial of Service via sequential optional groups

Impact

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches

Fixed in version 8.4.0.

Workarounds

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Ссылки

Пакеты

Наименование

path-to-regexp

npm
Затронутые версииВерсия исправления

>= 8.0.0, < 8.4.0

8.4.0

EPSS

Процентиль: 17%
0.00052
Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-4926

Дефекты

CWE-1333
CWE-400

Связанные уязвимости

ubuntu логотип

CVE-2026-4926

CVSS3: 7.5
ubuntu
13 дней назад

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

redhat логотип

CVE-2026-4926

CVSS3: 7.5
redhat
13 дней назад

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

nvd логотип

CVE-2026-4926

CVSS3: 7.5
nvd
13 дней назад

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

debian логотип

CVE-2026-4926

CVSS3: 7.5
debian
13 дней назад

Impact: A bad regular expression is generated any time you have multi ...

EPSS

Процентиль: 17%
0.00052
Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-4926

Дефекты

CWE-1333
CWE-400