CVE-2026-4923

ADVISORY - github

Summary

Impact

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches

Upgrade to version 8.4.0.

Workarounds

If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

EPSS Score⁠: 0.0004 (0.122)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-1333⁠

Inefficient Regular Expression Complexity

ADVISORY - github

CWE-1333⁠

Inefficient Regular Expression Complexity

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.