path-to-regexp

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting path-to-regexppage 1 of 1

CVE-2024-45296HIGHCVSS 7.5EG 7.5✓ Fixed in 6.3.0
2024-09-09
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs …
CVE-2024-52798HIGHCVSS 7.7EG 0.0✓ Fixed in 0.1.12
2024-12-05
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can …
CVE-2026-4867HIGHCVSS 7.5EG 7.5✓ Fixed in 0.1.13
2026-03-26
Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in p…
CVE-2026-4923MEDIUMCVSS 5.9EG 5.9✓ Fixed in 8.4.0
2026-03-26
Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the en…
CVE-2026-4926HIGHCVSS 7.5EG 7.5✓ Fixed in 8.4.0
2026-03-26
Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.…

Check whether path-to-regexp is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for path-to-regexp CVEs against the assets you own.

Start Free Scan →