Impact
The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp, originally reported in CVE-2024-45296
Patches
Upgrade to 0.1.12.
Workarounds
Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.
References
blakeembrey Remediation developer
ctcpip Remediation reviewer
Impact
The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of
path-to-regexp, originally reported in CVE-2024-45296Patches
Upgrade to 0.1.12.
Workarounds
Avoid using two parameters within a single path segment, when the separator is not
.(e.g. no/:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.References