CVE-2024-45296:CVE-2024-45296 affects pillarjs/path-to-regexp by potentially emitting backtracking-prone regular expressions when converting path strings to regexes, which can cause Denial of Service in single-threaded JavaScript environments. Affected versions are < 0.1.10 and >= 0.2.0, < 8.0.0; upgrading to 0.1.10 or to 8.0.0+ mitigates the issue.

splash
Back

Description Preview

path-to-regexp converts path strings into regular expressions. In certain cases, it can generate a regular expression that is highly susceptible to inefficient backtracking, leading to poor performance. Specifically, a problematic regex is produced when there are two parameters within a single path segment separated by a character that is not a period. Since JavaScript runs regex matching on the main thread, such backtracking-heavy expressions can block the event loop and cause a denial of service. The advisory notes that users on the 0.1 line should upgrade to 0.1.10, and all other users should upgrade to 8.0.0 or newer. The issue does not expose data but can render servers unresponsive under certain inputs.

Overview

The vulnerability stems from path-to-regexp generating backtracking-prone regular expressions when converting certain path patterns into regexes. In environments where JavaScript runs on a single thread, lengthy or nested backtracking during regex evaluation can exhaust CPU time and block the event loop, resulting in a denial of service. Affected versions include < 0.1.10 and >= 0.2.0, < 8.0.0. Upgrading to 0.1.10 or to 8.0.0 (or newer) mitigates the risk. The issue is triggered by specific path segment patterns involving two parameters separated by non-period characters.

Remediation

  • Upgrade to fixed versions:
    • If you rely on the 0.x 0.1 line: upgrade to 0.1.10.
    • If you are on 0.2.x through 7.x: upgrade to 8.0.0 or newer.
  • Implement upgrade in your package manager:
    • npm: npm install path-to-regexp@^0.1.10 (for the 0.1 line) or npm install path-to-regexp@^8.0.0 (for 0.2.x+ line), then run npm install to refresh the lockfile.
    • yarn or pnpm: adjust the version constraints accordingly and reinstall.
  • Verify and test:
    • Run npm ls path-to-regexp to confirm the patched version is in use.
    • Run full regression tests and monitor for performance or functional issues.
  • Additional guidance:
    • Review your dependency tree for indirect usages of vulnerable path-to-regexp versions and update transitive dependencies as needed.
    • After upgrading, monitor for any performance regressions and consider running targeted DoS/load tests to confirm the mitigation.

References

  • GHSA-9wv6-86v2-598j: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
  • Commit fixing the issue: https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f
  • Additional fix/related change: https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
  • NetApp advisory entry: https://security.netapp.com/advisory/ntap-20250124-0001/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  3. Public Administration: Low
    Public Administration
  4. Finance and Insurance: Low
    Finance and Insurance
  5. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  6. Retail Trade: Low
    Retail Trade
  7. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  8. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  9. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  10. Transportation & Warehousing: Low
    Transportation & Warehousing
  11. Educational Services: Low
    Educational Services
  12. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  13. Accommodation & Food Services: Low
    Accommodation & Food Services
  14. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  15. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  16. Construction: Low
    Construction
  17. Information: Low
    Information
  18. Mining: Low
    Mining
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background