Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 9c83e1a
Author: Manuel
Date: 2026-03-28T16:39:54Z
Commit Message
refactor: Bump path-to-regexp from 8.3.0 to 8.4.0 (#10340)
Pull Request
PR: #10340 - refactor: Bump path-to-regexp from 8.3.0 to 8.4.0
Labels: None
Description:
Closes #10339
Changes
- 8.4.0: Security fixes for CVE-2026-4926 and CVE-2026-4923; restricts wildcard backtracking; dedupes regex prefixes for shorter regexes; rejects large optional route combinations (> 256)
Breaking Changes
None
Code Changes Required
None — the upgrade is a drop-in replacement.
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
Release Notes
- Chores
- Updated project dependencies to improve a...
Analysis
Vulnerability Type: Regular Expression Denial of Service (ReDoS)
Severity: High
Description
The update to path-to-regexp version 8.4.0 patches security flaws (CVE-2026-4926 and CVE-2026-4923) related to excessive backtracking in wildcard patterns that could allow attackers to cause a denial of service by consuming excessive CPU resources. The patch restricts wildcard backtracking and rejects large optional route combinations, preventing crafted regex inputs from degrading system performance.
Affected Code
- path-to-regexp@8.3.0 allowed regular expressions with excessive wildcard backtracking and large optional route combinations without limits,
- which could be exploited by maliciously crafted route patterns to cause the server to hang or crash due to resource exhaustion.
Proof of Concept
Using path-to-regexp@8.3.0, craft a route pattern with repeated nested optional segments or wildcards, for example:
```js
const { pathToRegexp } = require('path-to-regexp');
// Malicious pattern with excessive optional groups
const pattern = '/(a?){300}b';
try {
const re = pathToRegexp(pattern);
console.log('Regex compiled');
} catch (e) {
console.error('Error compiling regex:', e);
}
```
When running this, the regex compilation can hang or consume excessive CPU, causing a denial of service. The patched version 8.4.0 rejects such large optional combinations (>256), preventing this exploitation.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-28T18:00:36.515Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 9c83e1a
Author: Manuel
Date: 2026-03-28T16:39:54Z
Commit Message
Pull Request
PR: #10340 - refactor: Bump path-to-regexp from 8.3.0 to 8.4.0
Labels: None
Description:
Closes #10339
Changes
Breaking Changes
None
Code Changes Required
None — the upgrade is a drop-in replacement.
<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
Summary by CodeRabbit
Release Notes
Analysis
Vulnerability Type: Regular Expression Denial of Service (ReDoS)
Severity: High
Description
The update to path-to-regexp version 8.4.0 patches security flaws (CVE-2026-4926 and CVE-2026-4923) related to excessive backtracking in wildcard patterns that could allow attackers to cause a denial of service by consuming excessive CPU resources. The patch restricts wildcard backtracking and rejects large optional route combinations, preventing crafted regex inputs from degrading system performance.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-28T18:00:36.515Z