From 9e02b81ff6cd00e03c8a1eb1a86c39335b99cbac Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Fri, 21 Nov 2025 20:23:51 +0100
Subject: [PATCH 1/2] tls: use `RegExp.escape` to better escape servername

---
 lib/internal/tls/wrap.js | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/lib/internal/tls/wrap.js b/lib/internal/tls/wrap.js
index ceb770ab336646..1bfd619111172a 100644
--- a/lib/internal/tls/wrap.js
+++ b/lib/internal/tls/wrap.js
@@ -27,6 +27,7 @@ const {
   ObjectSetPrototypeOf,
   ReflectApply,
   RegExp,
+  RegExpEscape,
   Symbol,
   SymbolFor,
 } = primordials;
@@ -1541,11 +1542,7 @@ Server.prototype.addContext = function(servername, context) {
     throw new ERR_TLS_REQUIRED_SERVER_NAME();
   }
 
-  const re = new RegExp(`^${
-    servername
-      .replace(/([.^$+?\-\\[\]{}])/g, '\\$1')
-      .replaceAll('*', '[^.]*')
-  }$`);
+  const re = new RegExp(`^${RegExpEscape(servername).replace(/(?<=[^\\]|^)\\\*/g, '[^.]+')}$`);
 
   const secureContext =
     context instanceof common.SecureContext ? context : tls.createSecureContext(context);

From 3ab5c5df19e026115af84c66e76c9fb27fafdd27 Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Fri, 21 Nov 2025 20:52:04 +0100
Subject: [PATCH 2/2] fixup! tls: use `RegExp.escape` to better escape
 servername

---
 lib/internal/tls/wrap.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/internal/tls/wrap.js b/lib/internal/tls/wrap.js
index 1bfd619111172a..e21cc69effffa3 100644
--- a/lib/internal/tls/wrap.js
+++ b/lib/internal/tls/wrap.js
@@ -111,6 +111,8 @@ const kPskIdentityHint = Symbol('pskidentityhint');
 const kPendingSession = Symbol('pendingSession');
 const kIsVerified = Symbol('verified');
 
+const kRegExpEscapedStar = RegExpEscape('*');
+
 const noop = () => {};
 
 let tlsTracingWarned = false;
@@ -1542,7 +1544,7 @@ Server.prototype.addContext = function(servername, context) {
     throw new ERR_TLS_REQUIRED_SERVER_NAME();
   }
 
-  const re = new RegExp(`^${RegExpEscape(servername).replace(/(?<=[^\\]|^)\\\*/g, '[^.]+')}$`);
+  const re = new RegExp(`^${RegExpEscape(servername).replaceAll(kRegExpEscapedStar, '[^.]+')}$`);
 
   const secureContext =
     context instanceof common.SecureContext ? context : tls.createSecureContext(context);