Bug 2451860 (CVE-2026-4923)

Summary: CVE-2026-4923 path-to-regexp: path-to-regexp: Denial of Service via specially crafted paths with multiple wildcards
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, alcohan, alizardo, anjoseph, anpicker, anthomas, aschwart, asoldano, ataylor, bbaranow, bdettelb, bmaxwell, boliveir, bparees, bstansbe, caswilli, cmah, dbosanac, dbruscin, dhanak, dkuc, dlofthou, doconnor, drosa, dschmidt, eaguilar, ebaron, ehelms, erezende, ewittman, fdeutsch, ggainey, ggrzybek, gmalinko, gparvin, hasun, ibek, istudens, ivassile, iweiss, janstey, jbalunas, jcantril, jchui, jfula, jhe, jkoehler, jlanda, jolong, jowilson, jprabhak, jreimann, jrokos, juwatts, jwong, kaycoth, kbempah, kshier, ktsao, kvanderr, lball, lphiri, manissin, mbarnett, mdessi, mhulan, mnovotny, mosmerov, mposolda, mrizzi, mstipich, msvehla, mwringe, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, omaciel, ometelka, orabin, oramraz, osousa, pahickey, pantinor, parichar, pberan, pcattana, pcreech, pdelbell, pesilva, pjindal, pmackay, psrna, ptisnovs, rchan, rexwhite, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, simaishi, smaestri, smallamp, smcdonal, smullick, solenoci, ssilvert, stcannon, sthirugn, sthorger, stirabos, syedriko, tasato, teagle, thason, thjenkin, tmalecek, ttakamiy, vdosoudi, veshanka, vmuzikar, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in path-to-regexp. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. The issue arises when multiple wildcards are used with parameters in a way that creates a vulnerable regular expression, leading to excessive processing time and system unresponsiveness.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2453045, 2453048, 2453050, 2453053, 2453054, 2453055, 2453056, 2453043, 2453044, 2453046, 2453047, 2453049, 2453051, 2453052, 2453057, 2453058    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-26 20:03:16 UTC 
Impact:

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches:

Upgrade to version 8.4.0.

Workarounds:

If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.