## CVE-2026-4867: High-Severity ReDoS Vulnerability Patched in `path-to-regexp` Dependency Chain
A high-severity Regular Expression Denial of Service (ReDoS) vulnerability, tracked as CVE-2026-4867 (CVSS 7.5), has been resolved in the `path-to-regexp` library. The flaw was discovered within the dependency chain of `@itwin/express-server`, which pulls in the vulnerable version via the `express` package. This type of vulnerability can allow an attacker to craft specific inputs that cause the regular expression engine to enter a state of catastrophic backtracking, consuming excessive CPU resources and leading to service disruption.

The affected version was `path-to-regexp@0.1.12`. The fix was implemented in version `0.1.13`, published on March 26, 2026. Crucially, the patched version was already within the existing semantic version range (`~0.1.12`) specified by `express`. This meant the remediation did not require a manual override or a change to the `package.json` file; it was resolved by simply refreshing the project lockfile using the command `rush update --full`. Post-update validation via `pnpm audit` confirmed the CVE was no longer reported, reducing the high-severity vulnerability count from one to zero.

The resolution highlights a critical but often overlooked aspect of software supply chain security: a vulnerability can be introduced and fixed within the same minor version range of a transitive dependency. While the fix required no changes to application code, it underscores the necessity of regularly updating lockfiles and conducting security audits. For projects using similar dependency trees, this incident serves as a clear warning to verify that security patches within permissible version ranges are actively being pulled into builds.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, ReDoS, Supply Chain Security, Node.js, Express
- **Credibility**: unverified
- **Published**: 2026-03-27 22:27:06
- **ID**: 38434
- **URL**: https://whisperx.ai/en/intel/38434