Using a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.

When using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the i flag.

The following example restricts access to paths in the /admin path to users logged in as administrators:

A path such as /admin/users/45 can only be accessed by an administrator. However, the path /ADMIN/USERS/45 can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string /admin/users.

The issue can be fixed by adding the i flag to the regular expression:

MDN Regular Expression Flags.