top of page
perceptive_background_267k.jpg

Impact:

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (…

Published:

25 maart 2026 om 23:00:00

Alert date:

26 maart 2026 om 18:03:17

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

CVE-2026-4867 affects the path-to-regexp library, causing catastrophic backtracking (ReDoS) when three or more parameters are used within a single URL segment separated by non-period characters. The vulnerability occurs due to inadequate backtrack protection that only works for two parameters. Attackers can exploit this to cause denial of service through regex processing delays. The issue is fixed in path-to-regexp@0.1.13, with workarounds including custom regex patterns or URL length limiting available for older versions.

Technical details

Mitigation steps:

Affected products:

path-to-regexp

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-4867
https://blakeembrey.com/posts/2024-09-web-redos
https://cna.openjsf.org/security-advisories.html
https://github.com/advisories/GHSA-9wv6-86v2-598j

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page