Fluid Attacks Database

Description

path-to-regexp contains a ReDoS

Impact

The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

https://github.com/advisories/GHSA-9wv6-86v2-598j

https://blakeembrey.com/posts/2024-09-web-redos/

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	path-to-regexp	>=0 <0.1.12	0.1.12
rpm rhel6	thunderbird	-	-
rpm rhel7	thunderbird	-	-
rpm rhel6	firefox	-	-

Aliases

1. CVE-2024-527982. NVD-2024-527983. OSV-2024-527984. GHSA-rhx6-c78j-4q9w5. GCVE-2024-52798

References

1. https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w2. https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a43. https://blakeembrey.com/posts/2024-09-web-redos4. https://security.netapp.com/advisory/ntap-20250124-0002

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.