CVE-2026-4926
path-to-regexp vulnerable to Denial of Service via sequential optional groups
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.5EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
26 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Impact:
A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.
Patches:
Fixed in version 8.4.0.
Workarounds:
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Productos afectados
path-to-regexp · path-to-regexp¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →