fix: CVE-2026-4867

Co-authored-by: Ulises Gascon <[email protected]>

Author: blakeembrey

index.js

@@ -94,6 +94,7 @@ function pathToRegexp(path, keys, options) {
       pos = offset + match.length;
 
       if (match === '*') {
+        backtrack = '';
         extraOffset += 3;
         return '(.*)';
       }
@@ -123,6 +124,7 @@ function pathToRegexp(path, keys, options) {
         + ')'
         + optional;
 
+      backtrack = '';
       extraOffset += result.length - match.length;
 
       return result;

test.js

@@ -12,6 +12,15 @@ describe('path-to-regexp', function () {
     assert.deepEqual(pathToRegExp('/:a-:b'), /^(?:\/([^/]+?))-(?:((?:(?!\/|-).)+?))\/?$/i);
   });
 
+  // See: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2
+  it('should generate a regex without backtracking for 3+ params', function () {
+    var re = pathToRegExp('/:a-:b-:c-:d');
+    var input = '/' + Array(4001).join('a-') + '/z';
+    var start = Date.now();
+    re.exec(input);
+    assert.ok(Date.now() - start < 1000, 'ReDoS: regex took too long');
+  });
+
   describe('strings', function () {
     it('should match simple paths', function () {
       var params = [];