Overview
Unrestricted Resource Consumption in Node.js Express can occur when an attacker crafts route patterns that drive the regex engine to exponential blow-up. CVE-2026-4926 documents this denial-of-service risk and notes a patch was applied in version 8.4.0. This class of vulnerability is categorized under CWE-400 and CWE-1333, highlighting resource exhaustion via crafted input.
Affected Versions
before 8.4.0; fixed in 8.4.0
Code Fix Example
Node.js (Express) API Security Remediation
/* Vulnerable and fixed example in one snippet */
const express = require('express');
const app = express();
// Vulnerable: route pattern constructed from user input
const userPattern = '{a}{b}{c}:z'; // supplied by user or attacker
app.get(`/${userPattern}`, (req, res) => {
res.send('vulnerable pattern');
});
// Fixed: validate and whitelist input; do not use raw user input in route patterns
function isSafePattern(p) {
// allow alphanumeric, colon, dash, underscore, and braces; limit groups
if (!/^[a-zA-Z0-9_:\-{}]+$/.test(p)) return false;
const groups = (p.match(/\{.*?\}/g) || []);
if (groups.length > 2) return false; // restrict number of optional groups
return true;
}
const safePattern = isSafePattern(userPattern) ? userPattern : 'default';
app.get(`/${safePattern}`, (req, res) => {
res.send('safe');
});
app.listen(3000, () => console.log('Listening on 3000'));