Bug 2451783 (CVE-2026-4867)

Summary: CVE-2026-4867 path-to-regexp: path-to-regexp: Denial of Service via catastrophic backtracking from malformed URL parameters
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, alcohan, alizardo, anjoseph, anpicker, anthomas, anujha, aschwart, asoldano, aszczucz, ataylor, bbaranow, bdettelb, bmaxwell, boliveir, bparees, bstansbe, caswilli, cdrage, cmah, dbosanac, dbruscin, dhanak, dkeler, dkuc, dlofthou, doconnor, drichtar, drosa, dschmidt, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, ewittman, fdeutsch, ggainey, ggrzybek, gmalinko, gparvin, hasun, ibek, istudens, ivassile, iweiss, janstey, jbalunas, jcantril, jchui, jfula, jhe, jkoehler, jlanda, jolong, jowilson, jpasqual, jprabhak, jraez, jreimann, jrokos, juwatts, jwong, kaycoth, kbempah, kshier, ktsao, kvanderr, lball, lphiri, manissin, mbarnett, mdessi, mhulan, mnovotny, mosmerov, mposolda, mrizzi, mstipich, msvehla, mwringe, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, oaljalju, omaciel, ometelka, orabin, oramraz, osousa, pahickey, pantinor, parichar, pberan, pbizzarr, pcattana, pcreech, pdelbell, pesilva, pjindal, pmackay, psrna, ptisnovs, rchan, rexwhite, rhaigner, rhel-process-autobot, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, rushinde, sausingh, sdawley, simaishi, smaestri, smallamp, smcdonal, smullick, solenoci, ssilvert, stcannon, sthirugn, sthorger, stirabos, suppawar, syedriko, tasato, teagle, thason, thjenkin, tmalecek, ttakamiy, vdosoudi, veshanka, vmuzikar, watson-tool-maintainers, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in path-to-regexp. A remote attacker could exploit this vulnerability by crafting a malicious URL with three or more parameters in a single segment, separated by non-period characters. This causes the component to generate a bad regular expression, leading to catastrophic backtracking. The overlapping capture groups can consume excessive processing resources, resulting in a Denial of Service (DoS) for the affected application.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-26 17:02:21 UTC
Impact:

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Patches:

Upgrade to path-to-regexp.13

Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.

Workarounds:

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.