Your message dated Fri, 27 Mar 2026 16:18:42 +0000
with message-id <[email protected]>
and subject line Bug#1132020: fixed in node-path-to-regexp 8.4.0-1
has caused the Debian Bug report #1132020,
regarding node-path-to-regexp: CVE-2026-4923 CVE-2026-4926
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132020
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-path-to-regexp
Version: 8.3.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for node-path-to-regexp.
CVE-2026-4867[0]:
| Impact: A bad regular expression is generated any time you have
| three or more parameters within a single segment, separated by
| something that is not a period (.). For example, /:a-:b-:c or
| /:a-:b-:c-:d. The backtrack protection added in path-to-
| [email protected] only prevents ambiguity for two parameters. With three
| or more, the generated lookahead does not block single separator
| characters, so capture groups overlap and cause catastrophic
| backtracking. Patches: Upgrade to [email protected] Custom
| regex patterns in route definitions (e.g.,
| /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override
| the default capture group. Workarounds: All versions can be
| patched by providing a custom regular expression for parameters
| after the first in a single segment. As long as the custom regular
| expression does not match the text before the parameter, you will be
| safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
| If paths cannot be rewritten and versions cannot be upgraded,
| another alternative is to limit the URL length.
CVE-2026-4923[1]:
| Impact: When using multiple wildcards, combined with at least one
| parameter, a regular expression can be generated that is vulnerable
| to ReDoS. This backtracking vulnerability requires the second
| wildcard to be somewhere other than the end of the path. Unsafe
| examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe
| examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version
| 8.4.0. Workarounds: If you are using multiple wildcard parameters,
| you can check the regex output with a tool such as
| https://makenowjust-labs.github.io/recheck/playground/ to confirm
| whether a path is vulnerable.
CVE-2026-4926[2]:
| Impact: A bad regular expression is generated any time you have
| multiple sequential optional groups (curly brace syntax), such as
| `{a}{b}{c}:z`. The generated regex grows exponentially with the
| number of groups, causing denial of service. Patches: Fixed in
| version 8.4.0. Workarounds: Limit the number of sequential
| optional groups in route patterns. Avoid passing user-controlled
| input as route patterns.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-4867
https://www.cve.org/CVERecord?id=CVE-2026-4867
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2
[1] https://security-tracker.debian.org/tracker/CVE-2026-4923
https://www.cve.org/CVERecord?id=CVE-2026-4923
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7
[2] https://security-tracker.debian.org/tracker/CVE-2026-4926
https://www.cve.org/CVERecord?id=CVE-2026-4926
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-path-to-regexp
Source-Version: 8.4.0-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-path-to-regexp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-path-to-regexp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Mar 2026 07:52:48 +0100
Source: node-path-to-regexp
Architecture: source
Version: 8.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1132020
Changes:
node-path-to-regexp (8.4.0-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.3
* Drop "Priority: optional"
* New upstream version
(Closes: 1132020, CVE-2026-4923, CVE-2026-4926)
Checksums-Sha1:
1ab9517c4239fb0a6a66515fd87ab4c7b31f43c9 2202 node-path-to-regexp_8.4.0-1.dsc
43fccde893a1c2c720b9f7327dedb5f1d637eaa9 20225
node-path-to-regexp_8.4.0.orig.tar.gz
d554b87cb4fbe2e0a9d5aa6ddc4a0882e49b461e 5640
node-path-to-regexp_8.4.0-1.debian.tar.xz
Checksums-Sha256:
45b83305ec5d7b36b62a67b29b8c296368b23a3d52a1e27079f5202984dc95fd 2202
node-path-to-regexp_8.4.0-1.dsc
a91ab214b85408c254e15d5bc68a186e44c2f160d08fc076520d875da0c744c8 20225
node-path-to-regexp_8.4.0.orig.tar.gz
663256c2e885beac6988f37ad5288a6803f0e4a1a54bdae09dd35d1ad736b914 5640
node-path-to-regexp_8.4.0-1.debian.tar.xz
Files:
18c81e3e680d9ae8eb6a44d5e08de57e 2202 javascript optional
node-path-to-regexp_8.4.0-1.dsc
653b9b214c2cd73d3039190ff5bdb459 20225 javascript optional
node-path-to-regexp_8.4.0.orig.tar.gz
b6d9c1c96f333bd9b0ff948c80604de4 5640 javascript optional
node-path-to-regexp_8.4.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnGqHUACgkQ9tdMp8mZ
7unmmxAAgIKkpu5EP4larHuM1aTueJthVyAQcY0GLerll6DQVX1wBFjhxwlZtt1+
laC9C+hgsHRdAtEvVb8dV/GluwF0lAcOMPykUmPa9/Xav6E+S4we+MjVM69sStgY
NTaKvipOOx1/moxeLPunRn5UPcmz4jwqWt6lvGLPMxXry+QXGHPLJc7NII3XxIGT
sCgIhNXIyfeLMm7nFD6yy2XER7CJNj18nNcRWfj9gAxTB6fLSxIkJknu2gG5KxNP
AcM56lZb665XalTmmE9x+NErOE6xkK3vZRLdZaTcXI+orj0XsSh7iOjqili/94DE
+iyDT/o5tDfHPN5VEE7nc6WS/FV98R2Nomm3694laqaopgzVMXhfo39CztiznUWY
Xzc9DAoQkH+2S2YwD+4flXtSTkdOkeJRMDU+ZJ8uANX6IpGkJjqJXB0q/GNaWrDm
X/ZAk5k6OjrQ3gKfMlNlRHOUPpFlryN8fHAD6W0s0iUT1N/Y8oCBmZbe9kvgwzS8
2IdmlH05VQ0cErrpVNTSx8da/tHXrK7O0XxvIuq50/RYai3G5ROra7SozuRJMmw1
0WB7w4HxDYl25EqLTrrzFETfZFO7dzhivE2rdOyiuhEgdTMvebnPRheFxYpleleT
oNdkd5MsQhuWptOlRLcxHscHTgj6NoVaxm2cEsT3XPniVeMhDeU=
=lqok
-----END PGP SIGNATURE-----
pgpfd80Uioqh7.pgp
Description: PGP signature
--- End Message ---
