CVE-2024-45813
HIGH7.5EPSS 0.08%find-my-way has a ReDoS vulnerability in multiparametric routes
Published: 9/18/2024Modified: 10/7/2024
Also known as:GHSA-rrr8-f88r-h8q6
Description
### Impact A bad regular expression is generated any time you have two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. ### Patches Update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. ### Workarounds No known workarounds. ### References - [CVE-2024-45296](https://github.com/advisories/GHSA-9wv6-86v2-598j) - [Detailed blog post about `path-to-regexp` vulnerability](https://blakeembrey.com/posts/2024-09-web-redos/)
Affected packages (1)
- npm/find-my-way>= 5.5.0, < 8.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://github.com/advisories/GHSA-9wv6-86v2-598j
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-45813
- PATCHhttps://github.com/delvedor/find-my-way
- WEBhttps://blakeembrey.com/posts/2024-09-web-redos
- WEBhttps://github.com/delvedor/find-my-way/commit/17fae694dcefc056045da201681c1530f0f80518
- WEBhttps://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440
- WEBhttps://github.com/delvedor/find-my-way/commit/66fa03923355b8da1db4ba572d66a4fee4a57cf5
- WEBhttps://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6