Skip to content

core-11.1.9.tgz: 2 vulnerabilities (highest severity is: 7.5) #253

Description

@mend-bolt-for-github
Vulnerable Library - core-11.1.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (core version) Remediation Possible**
CVE-2026-4926 High 7.5 path-to-regexp-8.3.0.tgz Transitive N/A*
CVE-2026-4923 Medium 5.9 path-to-regexp-8.3.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-4926

Vulnerable Library - path-to-regexp-8.3.0.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • core-11.1.9.tgz (Root Library)
    • path-to-regexp-8.3.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Impact:A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as "{a}{b}{c}:z". The generated regex grows exponentially with the number of groups, causing denial of service.Patches:Fixed in version 8.4.0.Workarounds:Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Publish Date: 2026-03-26

URL: CVE-2026-4926

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j3q9-mxjg-w52f

Release Date: 2026-03-26

Fix Resolution: path-to-regexp - 8.4.0

Step up your Open Source Security Game with Mend here

CVE-2026-4923

Vulnerable Library - path-to-regexp-8.3.0.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • core-11.1.9.tgz (Root Library)
    • path-to-regexp-8.3.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Impact:
When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.
Unsafe examples:
/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y
Safe examples:
/*foo-:bar
/*foo-:bar-*baz
Patches:
Upgrade to version 8.4.0.
Workarounds:
If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

Publish Date: 2026-03-26

URL: CVE-2026-4923

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-27v5-c462-wpq7

Release Date: 2026-03-26

Fix Resolution: path-to-regexp - 8.4.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

Priority

None yet

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions