Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add backtrack protection to 1.x release #320

Merged
merged 1 commit into from
Sep 10, 2024
Merged

Conversation

blakeembrey
Copy link
Member

@blakeembrey blakeembrey commented Sep 10, 2024

I'm confident this shouldn't break 99.9% of usages, but may impact some edge cases of users of the library. Fixes ReDoS vector on matching. Closes #318. Does not fix ReDoS if user provides a vulnerable regex themselves, so I'll update the advisory to make it clear that it's possible to create a ReDoS if you override parameters with a custom capture and that isn't covered by the fix.

@beaneyd-ELS
Copy link

Thank you for the fix, can you get the affected versions updated on: GHSA-9wv6-86v2-598j please? As 1.9 is detected as broken when it is between 0.2.0 and 8.0.0

@oFlo193o
Copy link

oFlo193o commented Sep 16, 2024

@blakeembrey is it save to update from 0.2.5 -> 1.9.0 or are there any breaking changes, as 0.2.5 is still being used by @nestjs/serve-static
nestjs/serve-static#1454

@blakeembrey
Copy link
Member Author

You use update to 1.9.0, there were no breaking changes in 1.0.0: https://github.com/pillarjs/path-to-regexp/blob/7aff887e73ee8bca5cc98ee6239616da07eb8523/History.md#100--2014-08-17

@matei4adrian
Copy link

matei4adrian commented Sep 27, 2024

Hi, @blakeembrey! This version is still seen as a vulnerable version by JFrog Xray (CVE-2024-45296). The next version that is not vulnerable is 8.0.0, but this update includes breaking changes that could not be solved for packages like react-router v5. Is it possible to completely remove the vulnerability for version 1.x.x and other major versions below 8.x.x? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants