AIKIDO-2024-10181

path-to-regexp is vulnerable to Regular Expression Denial of Service (ReDoS)

Regular Expression Denial of Service (ReDoS)CVE-2024-45296 Published Jul 15, 2024

High Risk

This Affects:

path-to-regexp

0.1 - 0.1.11

Fixed in 0.1.12

0.2.0 - 1.8.0

Fixed in 1.9.0

2.0.0 - 3.2.0

Fixed in 3.3.0

4.0.0 - 6.2.2

Fixed in 6.3.0

7.0.0 - 7.0.0

Fixed in 7.1.0

Are you affected? Scan for Free

TL;DR

The patched version adds a strict option to detect potential ReDoS issues. A bad regular expression is generated whenever two parameters within a single segment are separated by something other than a period (.). For example, /:a-:b.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

path-to-regexp is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 0.1 - 0.1.11, 0.2.0 - 1.8.0, 2.0.0 - 3.2.0, 4.0.0 - 6.2.2 and 7.0.0 - 7.0.0.

How to fix this

Upgrade the path-to-regexp library to the patched version. For patch version 7.1.0, use the 'strict: true' option. Older patch versions add backtrack protection but do not protect against vulnerable user-supplied capture groups. It is advised to upgrade to version 8.0.0, which removes the vulnerable feature entirely.

High Risk