path-to-regexp (npm)
Registry: npm Weekly Downloads: ~80,000,000 (as of 2026-04-07) Repository: https://github.com/pillarjs/path-to-regexp Security Contact: none listed Disclosure Policy: none listed (GitHub Issues used for disclosure) Current Status: advisory-mapped
Audit History
| Date | Auditor | Scope | Methodology | Findings | Source |
|------|---------|-------|-------------|----------|--------|
| 2026-03-31 | travis-burmaster | parse() function — path tokenization logic (~500 LOC) | manual | 2 public bugs filed in Issue #433 | Issue #433 |
| 2026-04-12 | @travis-burmaster | package advisory refresh | public-source curation (GitHub Advisory Database, OSV.dev, public CVE records, upstream release metadata) | 5 published package advisories mapped | oss-security-kb |
Known Vulnerabilities
| CVE / Issue | Severity | Description | Fixed in | Source |
|-------------|----------|-------------|----------|--------|
| GHSA-rhx6-c78j-4q9w / CVE-2024-52798 | High | Legacy 0.1.x releases contained a ReDoS issue; public records map the first hardening fix to 0.1.12. | 0.1.12 | GitHub Advisory Database |
| GHSA-9wv6-86v2-598j / CVE-2024-45296 | High | Backtracking regular expressions generated by newer releases allowed ReDoS with crafted route patterns and input. | 8.0.0 | GitHub Advisory Database |
| GHSA-37ch-88jc-xwx2 / CVE-2026-4867 | High | Legacy 0.1.x releases remained vulnerable to ReDoS via multiple route parameters; public records map the follow-on fix to 0.1.13. | 0.1.13 | GitHub Advisory Database |
| GHSA-27v5-c462-wpq7 / CVE-2026-4923 | Moderate | Modern 8.x releases were vulnerable to ReDoS via multiple wildcards until 8.4.0 restricted wildcard backtracking. | 8.4.0 | GitHub Advisory Database |
| GHSA-j3q9-mxjg-w52f / CVE-2026-4926 | High | Modern 8.x releases were vulnerable to denial of service via sequential optional groups until 8.4.0 rejected large optional-route combinations. | 8.4.0 | GitHub Advisory Database |
| Issue #433 | Medium (TBD) | Publicly filed manual-review issue: trailing backslash produces undefined in a path token and null bytes pass through parser output; kept separate from the published GHSA/CVE set. | unfixed (as of 2026-04-07) | Issue #433 |
Security Posture Notes
- Actively maintained by the pillarjs org, but the public record now shows repeated regex-complexity / route-expansion hardening across both the legacy 0.1.x line and the modern 8.x line.
- Public remediation history is split across two streams: legacy 0.1.x needed fixes in 0.1.12 and then 0.1.13, while modern 8.x first fixed a backtracking issue in 8.0.0 and then landed another pair of DoS fixes in 8.4.0.
- Upstream 8.4.0 release notes explicitly call out fixes for CVE-2026-4923 and CVE-2026-4926, describing wildcard-backtracking restriction and rejection of large optional-route combinations.
- Extremely high reverse-transitive exposure:
path-to-regexpis used directly or indirectly by Express-style routing stacks, so parser complexity bugs can propagate widely even when the package itself is small. - No formal public security policy was identified in this review; disclosures continue to appear through GitHub advisories, issues, and release notes.
- The public manual-audit issue (#433) is worth watching, but it should not be conflated with the published advisory set unless upstream or a CNA later formalizes it.
Dependencies of Note
path-to-regexphas zero production dependencies in modern releases, so the bigger risk is reverse-transitive exposure through web frameworks and middleware stacks.
Related Pages
- [[npm/express]]
- [[npm/koa-router]]
Last updated: 2026-04-12 | Sources: 8 (GitHub Advisory Database, OSV.dev, public CVE records for CVE-2024-52798, CVE-2024-45296, CVE-2026-4867, CVE-2026-4923, and CVE-2026-4926, upstream GitHub release metadata for v8.4.0, public Issue #433)