CVE-2024-52798
HIGH7.5EPSS 0.30%path-to-regexp contains a ReDoS
發布日:2024/12/5修改日:2026/2/4
描述
### Impact The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally reported in CVE-2024-45296 ### Patches Upgrade to 0.1.12. ### Workarounds Avoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking. ### References - https://github.com/advisories/GHSA-9wv6-86v2-598j - https://blakeembrey.com/posts/2024-09-web-redos/
受影響套件(1)
- npm/path-to-regexpfrom 0, < 0.1.12
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-52798
- PATCHhttps://github.com/pillarjs/path-to-regexp
- WEBhttps://blakeembrey.com/posts/2024-09-web-redos
- WEBhttps://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4
- WEBhttps://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w
- WEBhttps://security.netapp.com/advisory/ntap-20250124-0002