Headline
GHSA-rhx6-c78j-4q9w: Unpatched `path-to-regexp` ReDoS in 0.1.x
Impact
The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp, originally reported here: https://github.com/advisories/GHSA-9wv6-86v2-598j
Patches
Upgrade to 0.1.12.
Workarounds
Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.
References
- https://github.com/advisories/GHSA-9wv6-86v2-598j
- https://blakeembrey.com/posts/2024-09-web-redos/
Package
npm path-to-regexp (npm)
Affected versions
< 0.1.12
Patched versions
0.1.12
Description
Impact
The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp, originally reported here: GHSA-9wv6-86v2-598j
Patches
Upgrade to 0.1.12.
Workarounds
Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.
References
- GHSA-9wv6-86v2-598j
- https://blakeembrey.com/posts/2024-09-web-redos/
References
- GHSA-rhx6-c78j-4q9w
- https://blakeembrey.com/posts/2024-09-web-redos
blakeembrey published to pillarjs/path-to-regexp
Dec 5, 2024
Published to the GitHub Advisory Database
Dec 5, 2024
Reviewed
Dec 5, 2024
Last updated
Dec 5, 2024