Plattform
nodejs
Komponente
path-to-regexp
Behoben in
0.1.13
0.1.12
CVE-2024-52798 addresses a Regular Expression Denial of Service (ReDoS) vulnerability discovered in the path-to-regexp library. This vulnerability stems from a flawed regular expression that can lead to excessive backtracking, consuming significant computational resources and potentially causing a denial of service. The issue affects versions prior to 0.1.12 and is directly related to CVE-2024-45296. The recommended fix is to upgrade to version 0.1.12.
An attacker can trigger this ReDoS vulnerability by crafting specific URL paths that exploit the flawed regular expression in path-to-regexp. This can lead to a significant increase in CPU usage, potentially causing the application to become unresponsive or crash. The impact is a denial of service, preventing legitimate users from accessing the application. The vulnerability's severity is heightened by its potential to impact a wide range of applications that rely on path-to-regexp for URL routing. The backtracking complexity can quickly escalate, leading to resource exhaustion and application instability.
CVE-2024-52798 is actively being tracked and has a GitHub Advisory (GHSA-9wv6-86v2-598j). A proof-of-concept (POC) is available demonstrating the ReDoS vulnerability. The vulnerability's EPSS score is likely medium to high, indicating a reasonable probability of exploitation. The vulnerability was published on December 5, 2024, and is actively being discussed in security communities.
Applications built on Node.js that utilize the path-to-regexp package for URL routing or parameter parsing are at risk. This includes web applications, APIs, and microservices. Projects relying on older versions of path-to-regexp without proper input validation are particularly vulnerable.
• nodejs / server:
npm list path-to-regexp• nodejs / server:
npm audit path-to-regexp• nodejs / server:
grep -r 'path-to-regexp' ./node_modulesdisclosure
Exploit-Status
EPSS
0.22% (44% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-52798 is to upgrade the path-to-regexp library to version 0.1.12 or later. If upgrading is not immediately feasible, a workaround involves avoiding the use of two parameters within a single path segment when the separator is not a period (.). Alternatively, carefully define the regular expression used for both parameters to prevent overlapping and backtracking. Monitor CPU usage and application responsiveness to detect potential ReDoS attacks. Consider implementing rate limiting to mitigate the impact of a successful attack. After upgrading, test URL routing with various inputs to ensure the vulnerability is resolved.
Actualice la biblioteca path-to-regexp a la versión 0.1.12 o superior. Esto solucionará la vulnerabilidad ReDoS. Ejecute `npm install path-to-regexp@latest` o `yarn add path-to-regexp@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-52798 is a denial of service vulnerability in path-to-regexp versions before 0.1.12. Malicious input can trigger excessive backtracking in regular expressions, leading to resource exhaustion and application unresponsiveness.
You are affected if your Node.js application uses path-to-regexp versions prior to 0.1.12. Check your project dependencies using npm list path-to-regexp to determine your version.
Upgrade to version 0.1.12 or later. If immediate upgrade is not possible, implement workarounds like avoiding overlapping parameters in path segments.
While no active exploitation campaigns have been definitively linked, the vulnerability's ease of exploitation suggests it remains a potential target.
You can find the advisory on the GitHub Advisory page: https://github.com/advisories/GHSA-9wv6-86v2-598j
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.