## CVE-2026-4926: High-Severity DoS Vulnerability in path-to-regexp NPM Package
A high-severity denial-of-service (DoS) vulnerability has been identified in the widely used `path-to-regexp` NPM package, tracked as CVE-2026-4926. The flaw, with a CVSS score of 7.5, stems from a critical flaw in how the library generates regular expressions for route patterns. Specifically, the library produces a pathologically inefficient regular expression when processing multiple sequential optional groups using curly brace syntax (e.g., `{a}{b}{c}:z`). This causes the generated regex to grow exponentially with the number of groups, leading to catastrophic performance degradation and a denial-of-service condition.

The vulnerability affects version 8.3.0 of the `path-to-regexp` package. The issue is particularly dangerous in environments where route patterns can be influenced by user input, as an attacker could craft a malicious pattern to exhaust server resources. The package is a fundamental building block for routing in many Node.js web frameworks and applications, making its exposure potentially widespread. The flaw has been patched in version 8.4.0.

Immediate remediation requires updating the dependency to version 8.4.0 or later. As a critical workaround, developers must strictly limit the use of sequential optional groups in route patterns and avoid passing any user-controlled input directly into the `path-to-regexp` function. The vulnerability's discovery in an AWS ECR container image (arn:aws:ecr:us-east-1:551507900153:repository/elnora-mcp-server) underscores its real-world presence in deployed infrastructure, raising the urgency for security teams to scan and patch affected container images and applications within the 30-day SLA window.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, Node.js, NPM, Denial of Service, Security Vulnerability
- **Credibility**: unverified
- **Published**: 2026-03-31 19:27:25
- **ID**: 43850
- **URL**: https://whisperx.ai/en/intel/43850