プラットフォーム
nodejs
コンポーネント
path-to-regexp
修正版
0.1.11
0.2.1
1.9.0
CVE-2024-45296 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the path-to-regexp package. This vulnerability allows an attacker to craft malicious input that triggers excessive CPU consumption, potentially leading to a denial of service. The vulnerability affects versions prior to 1.9.0 and 0.1.10, and a patch is available in those versions.
The core of this vulnerability lies in the way path-to-regexp constructs regular expressions from path patterns. When two parameters exist within a single segment separated by a non-period character (e.g., /a-b), a poorly constructed regular expression can be generated. This regex, when matched against a crafted input, can lead to exponential backtracking, consuming significant CPU resources. An attacker could exploit this by sending specially crafted requests to an application using path-to-regexp, effectively causing a denial of service. The blast radius is limited to the application instance experiencing the excessive CPU load, but repeated attacks could impact overall system availability.
This vulnerability is not currently listed on KEV. The EPSS score is likely low to medium, given the need for specific crafted input and the relatively contained impact. Public proof-of-concept exploits are available, increasing the risk of exploitation. The CVE was published on 2024-09-09.
Applications built with Node.js that utilize the path-to-regexp package for routing or URL parsing are at risk. This includes web applications, APIs, and microservices. Projects relying on older versions of path-to-regexp without proper input validation are particularly vulnerable.
• nodejs / server:
npm audit path-to-regexp• nodejs / supply-chain:
Check package.json and package-lock.json for versions of path-to-regexp prior to 1.9.0 or 0.1.10.
• generic web:
Monitor application CPU usage for spikes correlated with incoming requests containing potentially malicious path parameters.
disclosure
エクスプロイト状況
EPSS
0.06% (20% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to a patched version of path-to-regexp. Versions 1.9.0 and 0.1.10 include backtracking protection when a custom regex pattern is not provided. If upgrading immediately is not feasible, consider implementing rate limiting on incoming requests to the affected application. This can help prevent an attacker from overwhelming the system with malicious requests. Additionally, input validation and sanitization can help prevent malicious patterns from being processed. After upgrading, confirm the fix by sending a request with a crafted path pattern (e.g., /a-b) and monitoring CPU usage to ensure it remains within acceptable limits.
Actualice la biblioteca path-to-regexp a la versión 0.1.10 o superior, o a la versión 8.0.0 o superior. Esto corrige una vulnerabilidad de denegación de servicio (DoS) causada por expresiones regulares ineficientes. Ejecute `npm update path-to-regexp` o `yarn upgrade path-to-regexp` para actualizar a la versión más reciente.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-45296 is a Denial of Service vulnerability in the path-to-regexp package, allowing attackers to cause excessive CPU usage through crafted input.
You are affected if you are using path-to-regexp versions prior to 1.9.0 or 0.1.10. Check your project dependencies to determine if you are vulnerable.
Upgrade to version 1.9.0 or 0.1.10. These versions include backtracking protection to prevent the ReDoS vulnerability.
While no confirmed active campaigns are known, public proof-of-concept exploits exist, increasing the risk of exploitation.
Refer to the path-to-regexp GitHub repository releases page for details: https://github.com/pillarjs/path-to-regexp/releases
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。