CVE-2026-4926

Description

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

PUBLISHED Reserved 2026-03-26 | Published 2026-03-26 | Updated 2026-03-27 | Assigner openjs

Problem types

CWE-400: Uncontrolled Resource Consumption

CWE-1333: Inefficient Regular Expression Complexity

Product status

Credits

uug4na reporter

blakeembrey remediation developer

UlisesGascon remediation reviewer

References

cna.openjsf.org/security-advisories.html

cve.org (CVE-2026-4926)

nvd.nist.gov (CVE-2026-4926)

Download JSON