ReDoS Vulnerability Found in path-to-regexp: Multiple Wildcard Paths Expose Applications to Denial of Service

A critical ReDoS (Regular Expression Denial of Service) vulnerability has been discovered in the path-to-regexp library, affecting versions before 8.4.0. The flaw exists in the regex generation logic when multiple wildcards are combined with at least one named parameter. Under specific path patterns, the generated regular expression exhibits catastrophic backtracking, allowing specially crafted paths to trigger extreme computational load and potentially crash applications relying on the library for URL matching.

The vulnerability activates when the second wildcard appears somewhere other than at the end of the path. Affected patterns include constructions such as /*foo-*bar-:baz, /*a-:b-*c-:d, and /x/*a-:b/*c/y. In contrast, patterns like /*foo-:bar or /*foo-:bar-*baz do not trigger the flaw, as their wildcard placement does not produce vulnerable regex output. The risk is confined to applications using the specific combination of multiple wildcards with route parameters in positions that generate problematic backtracking expressions.

The path-to-regexp library is widely used in Node.js applications for routing and URL pattern matching, making this vulnerability a significant concern for production environments. Applications processing untrusted or user-supplied path inputs face elevated exposure. Maintainers have released version 8.4.0 as a patch, and users are urged to upgrade immediately. As a workaround, developers can validate their regex output using tools like the recheck playground to identify whether existing paths generate vulnerable expressions before applying the official fix.