CVE-2024-45296

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f
https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
https://security.netapp.com/advisory/ntap-20250124-0001/

Configurations

No configuration.

History

24 Jan 2025, 20:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20250124-0001/ -

Information

Published : 2024-09-09 19:15

Updated : 2025-01-24 20:15

NVD link : CVE-2024-45296

Mitre link : CVE-2024-45296

CVE.ORG link : CVE-2024-45296

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

{"id": "CVE-2024-45296", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-09T19:15:13.330", "references": [{"url": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", "source": "security-advisories@github.com"}, {"url": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", "source": "security-advisories@github.com"}, {"url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20250124-0001/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0."}, {"lang": "es", "value": "path-to-regexp convierte cadenas de ruta en expresiones regulares. En ciertos casos, path-to-regexp generar\u00e1 una expresi\u00f3n regular que puede explotarse para generar un rendimiento deficiente. Debido a que JavaScript es de un solo subproceso y la coincidencia de expresiones regulares se ejecuta en el subproceso principal, un rendimiento deficiente bloquear\u00e1 el bucle de eventos y provocar\u00e1 un ataque de denegaci\u00f3n de servicio (DoS). La expresi\u00f3n regular incorrecta se genera cada vez que hay dos par\u00e1metros dentro de un solo segmento, separados por algo que no sea un punto (.). Para los usuarios de la versi\u00f3n 0.1, actualice a la versi\u00f3n 0.1.10. Todos los dem\u00e1s usuarios deben actualizar a la versi\u00f3n 8.0.0."}], "lastModified": "2025-01-24T20:15:32.680", "sourceIdentifier": "security-advisories@github.com"}