Plattform
nodejs
Komponente
path-to-regexp
Behoben in
0.1.13
0.1.13
CVE-2026-4867 describes a Denial of Service (DoS) vulnerability within the path-to-regexp Node.js package. This vulnerability arises from the generation of flawed regular expressions when handling URL parameters, potentially causing catastrophic backtracking and service disruption. The vulnerability impacts versions before 0.1.13, and a patch is available in version 0.1.13.
The core of this vulnerability lies in the way path-to-regexp constructs regular expressions from URL path patterns. When a path contains three or more parameters separated by characters other than periods (e.g., /a-b-c or /a-b-c-d), the generated regular expression can suffer from catastrophic backtracking. This occurs because the lookahead protection, introduced in version 0.1.12, only prevents ambiguity for two parameters. With three or more, overlapping capture groups are created, causing the regular expression engine to expend excessive resources attempting to match the input, ultimately leading to a denial of service. The blast radius extends to any application relying on path-to-regexp for URL routing or parameter parsing, potentially impacting user access and application functionality.
This vulnerability was publicly disclosed on March 27, 2026. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the relatively straightforward nature of the vulnerability and its impact. The vulnerability's impact is primarily focused on resource exhaustion, making it less attractive to attackers seeking data exfiltration or remote code execution.
Applications built with Node.js that utilize the path-to-regexp package for URL routing or parameter parsing are at risk. This includes web applications, APIs, and microservices that rely on this package for handling incoming requests. Projects using older versions of path-to-regexp are particularly vulnerable.
• nodejs / server:
npm list path-to-regexp• nodejs / server:
npm audit path-to-regexp• nodejs / server:
grep -r 'path-to-regexp' package.jsondisclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4867 is to upgrade to version 0.1.13 or later of the path-to-regexp package. This version includes a fix that prevents the generation of the vulnerable regular expressions. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by restricting the complexity of URL paths used in your application. Avoid paths with three or more parameters within a single segment. While not a complete solution, this can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, as the attack is based on the regular expression engine's behavior. After upgrading, confirm the fix by testing URL paths with three or more parameters to ensure they no longer trigger excessive CPU usage.
Aktualisieren Sie die Version der path-to-regexp-Bibliothek auf Version 0.1.13 oder höher. Wenn ein Update nicht möglich ist, können Sie einen benutzerdefinierten regulären Ausdruck für Parameter nach dem ersten in einem einzelnen Segment bereitstellen. Eine weitere Alternative ist die Begrenzung der URL-Länge.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4867 is a Denial of Service vulnerability in the path-to-regexp Node.js package, allowing attackers to trigger catastrophic backtracking with complex URL parameters.
You are affected if you are using a version of path-to-regexp prior to 0.1.13. Check your project dependencies to determine if you are vulnerable.
Upgrade to version 0.1.13 or later of the path-to-regexp package using npm or yarn. This resolves the flawed regular expression generation.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-4867, but it remains a potential risk.
Refer to the official path-to-regexp GitHub release notes for version 0.1.13: https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.