CVE-2026-4926: Regular Expression Denial of Service in pillarjs path-to-regexp

The path-to-regexp library serves as a core routing dependency for major Node.js frameworks, including Express and Koa. It processes string-based route definitions and converts them into regular expressions for path matching. CVE-2026-4926 identifies a Denial of Service (DoS) vulnerability present in versions 8.0.0 through 8.3.0 of this library.

The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity). It manifests when the parser evaluates route patterns containing multiple sequential optional groups. The parsing logic fails to constrain the permutations generated from these optional components.

During processing, affected versions expand optional groups into all possible combinations to construct the final regular expression. This mechanism results in an exponential increase in CPU and memory usage as the number of optional groups grows. The resulting resource exhaustion leads to complete application unavailability.

The root cause of CVE-2026-4926 resides within the flatten function of the library's parser. In version 8, optional groups enclosed in curly braces trigger an expansion process. This process creates a distinct branch for every possible state of the optional group, attempting to map all valid path combinations.

The branching logic results in an exponential growth factor of 2^N, where N represents the number of sequential optional groups. A pattern containing 25 optional groups generates approximately 33 million permutations. A pattern with 50 groups pushes this number beyond one quadrillion discrete permutations.

The library processes these permutations by converting each into a full regular expression string and concatenating them using the logical OR operator. This methodology creates an excessively long final regular expression. The memory required to store and compile this massive string quickly exceeds the allocation limits of the V8 JavaScript engine.

The memory exhaustion leads to immediate process termination via Out Of Memory (OOM) errors. Furthermore, the generated regular expressions frequently contain overlapping capture groups with greedy quantifiers. This causes the V8 engine to enter catastrophic backtracking states, consuming 100% of available CPU cycles when evaluated against specific inputs.

The vulnerability was addressed in version 8.4.0 through three targeted architectural changes. The primary fix, implemented in commit 43669ac637fe70fad33693d145a74d98179152ce, replaces the naive string concatenation with a trie-based deduplication strategy. This structural change targets the memory consumption aspect of the vulnerability.

The introduction of the SourceNode object allows the parser to merge common prefixes instead of generating distinct branches for every permutation. By organizing the permutations into a trie structure, the output regular expression string length remains proportional to the input complexity. This eliminates the combinatorial memory exhaustion.

// Conceptual representation of the deduplication logic introduced in 8.4.0
class SourceNode {
  constructor() {
    this.children = new Map();
    this.isEnd = false;
  }
  // Common prefixes are merged into the same tree branches
  add(tokens) {
    // Implementation merges sequential nodes to avoid 2^N branch duplication
  }
}

The secondary fix, implemented in commit 22a967901afc8b2b42eefe456faa7b6773dcc415, introduces a defensive hard limit on the number of path combinations. The parser tracks the permutation count and throws a PathError if the predefined threshold is exceeded.

// Excerpt representing the combination limit enforcement
let combinations = 1;
for (const token of tokens) {
  if (token.type === 'optional') {
    combinations *= 2;
    if (combinations > 256) {
      throw new TypeError('Too many path combinations');
    }
  }
}

This limit of 256 combinations serves as a fail-safe against deeply nested or highly complex patterns that might evade the deduplication logic. A concurrent commit refactored the toRegExpSource function to restrict repeated wildcard backtracking by replacing greedy quantifiers with lazy quantifiers.

Exploitation requires the attacker to supply a crafted route pattern to a vulnerable application endpoint. The target application must either accept user-controlled route definitions or process untrusted input against statically defined routes containing numerous optional groups. The attack does not require authentication or elevated privileges.

The standard proof-of-concept payload consists of a repeating sequence of optional groups. An attacker transmits a payload such as {/a}{/b}{/c}{/d} repeated extensively. When the application passes this payload to pathToRegexp(), the parser immediately begins the exponential expansion process.

// Proof of Concept Payload
{/a}{/b}{/c}{/d}{/e}{/f}{/g}{/h}{/i}{/j}{/k}{/l}{/m}{/n}{/o}{/p}{/q}{/r}{/s}{/t}{/u}{/v}{/w}{/x}{/y}{/z}

The Node.js single-threaded event loop becomes completely blocked during the generation and compilation of the regular expression. This prevents the application from processing any subsequent HTTP requests. The process ultimately crashes due to an Out Of Memory error or hangs indefinitely due to continuous CPU consumption.

The successful exploitation of CVE-2026-4926 results in a complete Denial of Service condition. The application becomes unresponsive to all legitimate user traffic while the CPU and memory resources are consumed by the regular expression engine. This impact extends to all services hosted within the affected Node.js process.

The single-threaded nature of Node.js exacerbates the impact of this vulnerability. A single malicious request blocks the main thread, affecting all active concurrent connections. The application instance is rendered entirely unavailable until the process is forcefully restarted by the operating system or a container orchestration system.

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, resulting in a base score of 7.5. The vulnerability requires no privileges, involves no user interaction, and possesses a low attack complexity. The impact is strictly isolated to the Availability metric, with no direct threat to Confidentiality or Integrity.

The EPSS score stands at 0.0004, placing it in the 12.15th percentile. While active exploitation in the wild is currently assessed as low, the widespread adoption of path-to-regexp across the Node.js ecosystem presents a substantial attack surface. Applications exposing route definitions to external input are at immediate risk.

The primary remediation strategy requires upgrading the path-to-regexp dependency to version 8.4.0 or later. Organizations utilizing frameworks such as Express or Koa must ensure their package lockfiles resolve to the patched version. Dependency trees should be audited using standard package management tools to confirm the removal of vulnerable versions.

Application architectures must enforce strict input validation and sanitization on all route definitions. Developers must never pass untrusted, user-controlled input directly to pathToRegexp() or any underlying routing mechanisms. Dynamic route generation based on user input represents an inherent anti-pattern and should be avoided.

Route definitions should be reviewed to minimize the use of sequential optional groups. Simplifying route structures reduces both parsing overhead and the potential attack surface for resource consumption flaws. Explicit, well-defined routes are preferable to complex wildcard combinations.

Security teams should integrate static analysis tools, such as recheck, into their CI/CD pipelines. These tools analyze regular expressions for complexity limits and can detect the introduction of similar ReDoS vulnerabilities during the development lifecycle.