VDB

CVE-2026-4923

CVE-2026-4923 PUBLISHED CVSS 5.900000095367432 MEDIUM

Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz Patches: Upgrade to version 8.4.0. Workarounds: If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

EPSS 0.02% · 5.1th percentile

Risk Scores

CVSS 3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.02%
5.1th percentile

Affected Products

VendorProductVersions
npmpath-to-regexp8.0.0, 8.0.0, 8.0.0
AWSconnect
path-to-regexppath-to-regexp8.0.0, 8.4.0, 8.0.0
pillarjspath-to-regexp8.0.0

Exploit Intelligence

Timeline

  • Mar 26, 2026 PoC Published
  • Mar 26, 2026 CVE Published
  • Mar 26, 2026 PoC Published
  • Mar 27, 2026 EPSS Score
  • Mar 27, 2026 Coalition ESS Score
  • Mar 28, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›