Skip to content

Unpatched `path-to-regexp` ReDoS in 0.1.x

Moderate severity GitHub Reviewed Published Dec 5, 2024 in pillarjs/path-to-regexp • Updated Dec 6, 2024

Package

npm path-to-regexp (npm)

Affected versions

< 0.1.12

Patched versions

0.1.12

Description

Impact

The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

References

@blakeembrey blakeembrey published to pillarjs/path-to-regexp Dec 5, 2024
Published to the GitHub Advisory Database Dec 5, 2024
Reviewed Dec 5, 2024
Published by the National Vulnerability Database Dec 5, 2024
Last updated Dec 6, 2024

Severity

Moderate

EPSS score

0.043%
(11th percentile)

Weaknesses

CVE ID

CVE-2024-52798

GHSA ID

GHSA-rhx6-c78j-4q9w

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.