Source: node-path-to-regexp Version: 8.3.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for node-path-to-regexp. CVE-2026-4867[0]: | Impact: A bad regular expression is generated any time you have | three or more parameters within a single segment, separated by | something that is not a period (.). For example, /:a-:b-:c or | /:a-:b-:c-:d. The backtrack protection added in path-to- | [email protected] only prevents ambiguity for two parameters. With three | or more, the generated lookahead does not block single separator | characters, so capture groups overlap and cause catastrophic | backtracking. Patches: Upgrade to [email protected] Custom | regex patterns in route definitions (e.g., | /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override | the default capture group. Workarounds: All versions can be | patched by providing a custom regular expression for parameters | after the first in a single segment. As long as the custom regular | expression does not match the text before the parameter, you will be | safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). | If paths cannot be rewritten and versions cannot be upgraded, | another alternative is to limit the URL length. CVE-2026-4923[1]: | Impact: When using multiple wildcards, combined with at least one | parameter, a regular expression can be generated that is vulnerable | to ReDoS. This backtracking vulnerability requires the second | wildcard to be somewhere other than the end of the path. Unsafe | examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe | examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version | 8.4.0. Workarounds: If you are using multiple wildcard parameters, | you can check the regex output with a tool such as | https://makenowjust-labs.github.io/recheck/playground/ to confirm | whether a path is vulnerable. CVE-2026-4926[2]: | Impact: A bad regular expression is generated any time you have | multiple sequential optional groups (curly brace syntax), such as | `{a}{b}{c}:z`. The generated regex grows exponentially with the | number of groups, causing denial of service. Patches: Fixed in | version 8.4.0. Workarounds: Limit the number of sequential | optional groups in route patterns. Avoid passing user-controlled | input as route patterns. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-4867 https://www.cve.org/CVERecord?id=CVE-2026-4867 https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2 [1] https://security-tracker.debian.org/tracker/CVE-2026-4923 https://www.cve.org/CVERecord?id=CVE-2026-4923 https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7 [2] https://security-tracker.debian.org/tracker/CVE-2026-4926 https://www.cve.org/CVERecord?id=CVE-2026-4926 https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f Please adjust the affected versions in the BTS as needed. Regards, Salvatore
