Platform
nodejs
Component
path-to-regexp
Fixed in
0.1.13
0.1.12
CVE-2024-52798 identifies a denial of service (ReDoS) vulnerability within the path-to-regexp package, specifically affecting versions prior to 0.1.12. This vulnerability arises from a flawed regular expression susceptible to backtracking, potentially causing significant resource exhaustion on the server. The vulnerability was initially reported as CVE-2024-45296 and impacts Node.js applications utilizing this package. An upgrade to version 0.1.12 resolves the issue.
The core of this vulnerability lies in the regular expression used by path-to-regexp. An attacker can craft malicious input that triggers excessive backtracking within the regex engine. This backtracking process consumes substantial CPU resources, potentially leading to a denial of service, where the application becomes unresponsive or crashes. The impact extends beyond simple service disruption; prolonged attacks could overwhelm the server, impacting other services and potentially leading to data loss or corruption. The severity is amplified by the ease with which an attacker can trigger the vulnerability through carefully crafted input strings, making it a significant risk for applications relying on path-to-regexp for URL routing or parameter parsing.
This vulnerability is publicly known and documented, with a GitHub Advisory published. No active exploitation campaigns have been definitively linked to CVE-2024-52798 at the time of writing. The vulnerability's ease of exploitation, however, suggests it remains a potential target. The advisory highlights the similarity to previously observed ReDoS vulnerabilities, indicating a potential for automated scanning and exploitation.
Exploit Status
EPSS
0.22% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-52798 is to immediately upgrade the path-to-regexp package to version 0.1.12 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing workarounds. One workaround involves avoiding the use of two parameters within a single path segment when the separator is not a period (.). Alternatively, carefully define the regular expressions used for each parameter to ensure they do not overlap, preventing the backtracking vulnerability. Thorough testing of any workaround is crucial to ensure it does not introduce new vulnerabilities or negatively impact application functionality. After upgrading, confirm the fix by testing URL routing with various input strings, including those previously identified as potentially triggering the ReDoS vulnerability.
Update the path-to-regexp library to version 0.1.12 or higher. This will fix the ReDoS vulnerability. Run `npm install path-to-regexp@latest` or `yarn add path-to-regexp@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-52798 is a denial of service vulnerability in path-to-regexp versions before 0.1.12. Malicious input can trigger excessive backtracking in regular expressions, leading to resource exhaustion and application unresponsiveness.
You are affected if your Node.js application uses path-to-regexp versions prior to 0.1.12. Check your project dependencies using npm list path-to-regexp to determine your version.
Upgrade to version 0.1.12 or later. If immediate upgrade is not possible, implement workarounds like avoiding overlapping parameters in path segments.
While no active exploitation campaigns have been definitively linked, the vulnerability's ease of exploitation suggests it remains a potential target.
You can find the advisory on the GitHub Advisory page: https://github.com/advisories/GHSA-9wv6-86v2-598j
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.