Debian Node-Path-To-Regexp vulnerabilities

CVE-2026-4926 [HIGH] CVE-2026-4926: node-path-to-regexp - Impact: A bad regular expression is generated any time you have multiple sequen... Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid p

CVE-2026-4867 [HIGH] CVE-2026-4867: node-path-to-regexp - Impact: A bad regular expression is generated any time you have three or more p... Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in [email protected] only prevents ambiguity for two parameters. With three or more, the generated lookahead does not bl

CVE-2026-4923 [MEDIUM] CVE-2026-4923: node-path-to-regexp - Impact: When using multiple wildcards, combined with at least one parameter, a ... Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y Safe examples: /*foo-:bar /*foo-:bar-*baz P

CVE-2024-45296 [HIGH] CVE-2024-45296: node-path-to-regexp - path-to-regexp turns path strings into a regular expressions. In certain cases, ... path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is gener

CVE-2024-52798 [HIGH] CVE-2024-52798: node-path-to-regexp - path-to-regexp turns path strings into a regular expressions. In certain cases, ... path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incom