Bug 2451867 (CVE-2026-4926) - CVE-2026-4926 path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions
Summary: CVE-2026-4926 path-to-regexp: path-to-regexp: Denial of Service via crafted r...
Keywords:
Status: NEW
Alias: CVE-2026-4926
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452250 2452251 2452253 2452258 2452259 2452260 2452249 2452252 2452254 2452255 2452256 2452257 2452261 2452262 2452297
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-26 20:03 UTC by OSIDB Bzimport
Modified: 2026-03-27 17:31 UTC (History)
135 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-26 20:03:51 UTC 
Impact:

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches:

Fixed in version 8.4.0.

Workarounds:

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
Note You need to log in before you can comment on or make changes to this bug.