CVE-2026-4867

High

Published: 26 March 2026

Published

26 March 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 16.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4867 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Pillarjs Path-To-Regexp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the ReDoS vulnerability by requiring identification, reporting, and timely remediation of flaws through upgrading the path-to-regexp library to version 0.1.13.

SC-5 Denial-of-service Protection good match

preventdetect

Provides denial-of-service protections such as resource limits or URL length restrictions to mitigate CPU exhaustion from catastrophic backtracking in affected route patterns.

SI-10 Information Input Validation partial match

prevent

Enforces validation of URL path inputs to block or sanitize specially crafted patterns that trigger overlapping capture groups and backtracking in the path-to-regexp library.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

ReDoS in path-to-regexp enables remote unauthenticated exploitation of a public-facing web app's route matching logic, directly causing application exhaustion or crash via catastrophic backtracking (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only…

prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking. Patches: Upgrade to path-to-regexp@0.1.13 Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group. Workarounds: All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.

Deeper analysisAI

CVE-2026-4867 is a regular expression denial-of-service (ReDoS) vulnerability in the path-to-regexp JavaScript library, affecting versions prior to 0.1.13. The issue arises when generating regular expressions for route patterns containing three or more parameters within a single segment, separated by characters other than periods, such as /:a-:b-:c or /:a-:b-:c-:d. While backtrack protection was added in version 0.1.12 to handle ambiguity for two parameters, it fails for three or more, as the lookahead does not block single separator characters. This causes capture groups to overlap, triggering catastrophic backtracking. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-1333 (Inefficient Regular Expression Complexity).

Remote, unauthenticated attackers can exploit this vulnerability by sending specially crafted URLs matching the affected route patterns. The malicious input triggers excessive backtracking in the regex engine during route matching, consuming significant CPU resources and potentially causing the application server to become unresponsive or crash, resulting in a denial of service.

Advisories recommend upgrading to path-to-regexp@0.1.13, which addresses the regex generation flaw. Custom regex patterns in route definitions, such as /:a-:b([^-/]+)-:c([^-/]+), are unaffected as they override the default capture groups. Workarounds include providing custom regular expressions for parameters after the first in a segment—ensuring they do not match preceding text—or limiting URL length if paths cannot be rewritten and upgrades are not feasible. Further details are available in the referenced advisories at https://blakeembrey.com/posts/2024-09-web-redos, https://cna.openjsf.org/security-advisories.html, and https://github.com/advisories/GHSA-9wv6-86v2-598j.

Details

CWE(s): CWE-1333

Affected Products

pillarjs

path-to-regexp

≤ 0.1.13

CVEs Like This One

CVE-2026-4926Same product: Pillarjs Path-To-Regexp

CVE-2025-70030Shared CWE-1333

CVE-2026-28356Shared CWE-1333

CVE-2026-22178Shared CWE-1333

CVE-2026-1388Shared CWE-1333

CVE-2026-23897Shared CWE-1333

CVE-2026-35213Shared CWE-1333

CVE-2026-23956Shared CWE-1333

CVE-2026-30837Shared CWE-1333

CVE-2026-27904Shared CWE-1333

References

https://blakeembrey.com/posts/2024-09-web-redos
Technical Description · ce714d77-add3-4f53-aff5-83d477b104bb
https://cna.openjsf.org/security-advisories.html
Third Party Advisory · ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/advisories/GHSA-9wv6-86v2-598j
Not Applicable · ce714d77-add3-4f53-aff5-83d477b104bb