CVE-2026-4867: High-Severity ReDoS Vulnerability in path-to-regexp v0.1.7 Exposes Express.js Applications

A high-severity Regular Expression Denial of Service (ReDoS) vulnerability, tracked as CVE-2026-4867, has been identified in the legacy `path-to-regexp` npm package version 0.1.7. This utility, a core component for parsing URL paths in the Express.js web framework, contains a flawed regex generator that can be exploited to cause catastrophic CPU consumption and application unresponsiveness. The flaw is triggered when a route pattern contains three or more parameters within a single segment separated by a non-period character, such as `/:a-:b-:c`.

The vulnerability resides in the library's path-to-regular-expression conversion logic. When processing a maliciously crafted route with multiple parameters in a segment, the generated regular expression exhibits catastrophic backtracking. This causes the Node.js event loop to block as the engine attempts to evaluate an exponentially complex pattern against a matching input string. The issue is particularly critical because `[email protected]` is a direct dependency of `[email protected]`, a widely deployed version of the dominant Node.js web framework, placing countless production applications at immediate risk of denial-of-service attacks.

Exploitation is straightforward: an attacker need only send repeated HTTP requests matching the vulnerable route pattern. The resulting server-side regex evaluation can consume 100% of CPU resources for extended periods, leading to complete service degradation. While a fix was introduced in `[email protected]` to add "backtrack protection," this patch only addressed ambiguity for two parameters, leaving the three-or-more parameter case unprotected. This creates a significant remediation burden, as developers must not only upgrade the deeply nested `path-to-regexp` dependency but also ensure compatibility with their Express.js version, a process that often triggers broader dependency chain updates and testing.