From c6a7d024ed118f5cf0f57d284d0f61669cecb942 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Mon, 30 Mar 2026 13:06:34 +0200 Subject: [PATCH 1/2] blog: march 2026 security releases --- _posts/2026-03-30-security-releases.md | 57 ++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 _posts/2026-03-30-security-releases.md diff --git a/_posts/2026-03-30-security-releases.md b/_posts/2026-03-30-security-releases.md new file mode 100644 index 0000000000..bc850b9beb --- /dev/null +++ b/_posts/2026-03-30-security-releases.md @@ -0,0 +1,57 @@ +--- +title: March 2026 Security Releases +description: Security releases for path-to-regexp have been published. We recommend that all users upgrade as soon as possible. +tags: security vulnerabilities +authors: + - name: Ulises Gascon + github: UlisesGascon +--- + +The Express team has released new patch versions of [path-to-regexp](https://www.npmjs.com/package/path-to-regexp) addressing three regular expression denial of service vulnerabilities. + +{% include admonitions/warning.html +content="We recommend upgrading to the latest version of path-to-regexp to secure your applications." +%} + +The following vulnerabilities have been addressed: + +- [CVE-2026-4867 in path-to-regexp utility module (High)](#cve-2026-4867-in-path-to-regexp-utility-module-high) +- [CVE-2026-4926 in path-to-regexp utility module (High)](#cve-2026-4926-in-path-to-regexp-utility-module-high) +- [CVE-2026-4923 in path-to-regexp utility module (Medium)](#cve-2026-4923-in-path-to-regexp-utility-module-medium) + +## CVE-2026-4867 in path-to-regexp utility module (High) + +**[path-to-regexp](https://www.npmjs.com/package/path-to-regexp) versions `<= 0.1.12` are vulnerable to regular expression denial of service via multiple route parameters** + +A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period. For example, `/:a-:b-:c`. The backtrack protection added in v0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, causing catastrophic backtracking. + +**Affected versions**: `<= 0.1.12` +**Patched version**: `>= 0.1.13` + +For more details, see [GHSA-37ch-88jc-xwx2](https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2). + +## CVE-2026-4926 in path-to-regexp utility module (High) + +**[path-to-regexp](https://www.npmjs.com/package/path-to-regexp) versions `>= 8.0.0` are vulnerable to denial of service via sequential optional groups** + +A bad regular expression is generated any time you have multiple sequential optional groups, such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Avoid passing user-controlled input as route patterns. + +**Affected versions**: `>= 8.0.0` +**Patched version**: `>= 8.4.0` + +For more details, see [GHSA-j3q9-mxjg-w52f](https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f). + +## CVE-2026-4923 in path-to-regexp utility module (Medium) + +**[path-to-regexp](https://www.npmjs.com/package/path-to-regexp) versions `>= 8.0.0, <= 8.3.0` are vulnerable to regular expression denial of service via multiple wildcards** + +When using multiple wildcards combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. The second wildcard must be somewhere other than the end of the path. For example, `/*foo-*bar-:baz`. + +**Affected versions**: `>= 8.0.0, <= 8.3.0` +**Patched version**: `>= 8.4.0` + +For more details, see [GHSA-27v5-c462-wpq7](https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7). + +--- + +We recommend upgrading to the latest version of path-to-regexp to secure your applications. From 0d735c6e340e0c16999a5c43a346533e2cb31bbc Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Mon, 30 Mar 2026 09:30:07 -0500 Subject: [PATCH 2/2] docs: update upgrade instructions for path-to-regexp in security release note --- _posts/2026-03-30-security-releases.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/_posts/2026-03-30-security-releases.md b/_posts/2026-03-30-security-releases.md index bc850b9beb..b3f4564fe8 100644 --- a/_posts/2026-03-30-security-releases.md +++ b/_posts/2026-03-30-security-releases.md @@ -9,9 +9,14 @@ authors: The Express team has released new patch versions of [path-to-regexp](https://www.npmjs.com/package/path-to-regexp) addressing three regular expression denial of service vulnerabilities. -{% include admonitions/warning.html -content="We recommend upgrading to the latest version of path-to-regexp to secure your applications." -%} +{% capture warning_content %} +We recommend upgrading to the latest version of path-to-regexp to secure your applications. If you have a `package-lock.json`, you can update the dependency by running: + +```sh +npm update path-to-regexp +``` +{% endcapture %} +{% include admonitions/warning.html content=warning_content %} The following vulnerabilities have been addressed: