CVE-2024-45296: path-to-regexp outputs backtracking regular expressions
(updated )
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.
). For example, /:a-:b
.
References
- github.com/advisories/GHSA-9wv6-86v2-598j
- github.com/pillarjs/path-to-regexp
- github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f
- github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
- github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485
- github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef
- github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894
- github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
- nvd.nist.gov/vuln/detail/CVE-2024-45296
- security.netapp.com/advisory/ntap-20250124-0001
Detect and mitigate CVE-2024-45296 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →