Platform
nodejs
Component
path-to-regexp
Fixed in
0.1.13
0.1.13
CVE-2026-4867 describes a Denial of Service (DoS) vulnerability within the path-to-regexp Node.js package. This vulnerability arises from the generation of flawed regular expressions when handling URL parameters, potentially causing catastrophic backtracking and service disruption. The vulnerability impacts versions before 0.1.13, and a patch is available in version 0.1.13.
The core of this vulnerability lies in the way path-to-regexp constructs regular expressions from URL path patterns. Specifically, when a path segment contains three or more parameters separated by characters other than periods (e.g., /a-:b-:c or /a-:b-:c-:d), the generated regular expression can lead to catastrophic backtracking. This occurs because the lookahead protection introduced in version 0.1.12 only addresses ambiguity with two parameters. With three or more, overlapping capture groups are created, causing the regular expression engine to expend excessive resources attempting to match the input, ultimately leading to a denial of service. An attacker could craft malicious URLs to trigger this condition, effectively rendering the application unresponsive.
This vulnerability was publicly disclosed on 2026-03-27. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is primarily related to resource exhaustion, making it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4867 is to upgrade to version 0.1.13 or later of the path-to-regexp package. This version includes a fix that prevents the generation of the problematic regular expressions. If upgrading immediately is not feasible, consider implementing temporary workarounds such as validating and sanitizing URL parameters to prevent excessively complex patterns. While a WAF might offer some protection, it's unlikely to be effective against this type of vulnerability without specific rules tailored to the regular expression patterns. After upgrading, confirm the fix by testing with URLs containing three or more parameters separated by non-period characters to ensure the application no longer exhibits performance degradation.
Upgrade the version of the path-to-regexp library to version 0.1.13 or higher. If upgrading is not possible, you can provide a custom regular expression for parameters after the first in a single segment. Another alternative is to limit the URL length.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4867 is a Denial of Service vulnerability in the path-to-regexp Node.js package, allowing attackers to trigger catastrophic backtracking with complex URL parameters.
You are affected if you are using a version of path-to-regexp prior to 0.1.13. Check your project dependencies to determine if you are vulnerable.
Upgrade to version 0.1.13 or later of the path-to-regexp package using npm or yarn. This resolves the flawed regular expression generation.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-4867, but it remains a potential risk.
Refer to the official path-to-regexp GitHub release notes for version 0.1.13: https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.