Bug 2451860 (CVE-2026-4923) - CVE-2026-4923 path-to-regexp: path-to-regexp: Denial of Service via specially crafted paths with multiple wildcards
Summary: CVE-2026-4923 path-to-regexp: path-to-regexp: Denial of Service via specially...
Keywords:
Status: NEW
Alias: CVE-2026-4923
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2453045 2453048 2453050 2453053 2453054 2453055 2453056 2453043 2453044 2453046 2453047 2453049 2453051 2453052 2453057 2453058
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-26 20:03 UTC by OSIDB Bzimport
Modified: 2026-06-02 08:28 UTC (History)
134 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-26 20:03:16 UTC 
Impact:

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches:

Upgrade to version 8.4.0.

Workarounds:

If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
Note You need to log in before you can comment on or make changes to this bug.