CVE-2026-4926 (High) detected in path-to-regexp-8.3.0.tgz #321
Description
CVE-2026-4926 - High Severity Vulnerability
Vulnerable Library - path-to-regexp-8.3.0.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/.pnpm/path-to-regexp@8.3.0/node_modules/path-to-regexp/package.json
Dependency Hierarchy:
- @postgres.ai/ce-4.0.3.tgz (Root Library)
- react-scripts-5.0.1.tgz
- webpack-dev-server-4.15.2.tgz
- express-5.2.1.tgz
- router-2.2.0.tgz
- ❌ path-to-regexp-8.3.0.tgz (Vulnerable Library)
- router-2.2.0.tgz
- express-5.2.1.tgz
- webpack-dev-server-4.15.2.tgz
- react-scripts-5.0.1.tgz
Found in base branch: master
Vulnerability Details
Impact:A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as "{a}{b}{c}:z". The generated regex grows exponentially with the number of groups, causing denial of service.Patches:Fixed in version 8.4.0.Workarounds:Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
Publish Date: 2026-03-26
URL: CVE-2026-4926
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-j3q9-mxjg-w52f
Release Date: 2026-03-26
Fix Resolution: path-to-regexp - 8.4.0
Step up your Open Source Security Game with Mend here