CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52798 – path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x
https://notcve.org/view.php?id=CVE-2024-52798
05 Dec 2024 — path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296. • https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45296 – path-to-regexp outputs backtracking regular expressions
https://notcve.org/view.php?id=CVE-2024-45296
09 Sep 2024 — path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. • https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f • CWE-1333: Inefficient Regular Expression Complexity •