FKIE_CVE-2024-45296

Vulnerability from fkie_nvd - Published: 2024-09-09 19:15 - Updated: 2025-01-24 20:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
References
security-advisories@github.comhttps://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f
security-advisories@github.comhttps://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
security-advisories@github.comhttps://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20250124-0001/
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0."
    },
    {
      "lang": "es",
      "value": "path-to-regexp convierte cadenas de ruta en expresiones regulares. En ciertos casos, path-to-regexp generar\u00e1 una expresi\u00f3n regular que puede explotarse para generar un rendimiento deficiente. Debido a que JavaScript es de un solo subproceso y la coincidencia de expresiones regulares se ejecuta en el subproceso principal, un rendimiento deficiente bloquear\u00e1 el bucle de eventos y provocar\u00e1 un ataque de denegaci\u00f3n de servicio (DoS). La expresi\u00f3n regular incorrecta se genera cada vez que hay dos par\u00e1metros dentro de un solo segmento, separados por algo que no sea un punto (.). Para los usuarios de la versi\u00f3n 0.1, actualice a la versi\u00f3n 0.1.10. Todos los dem\u00e1s usuarios deben actualizar a la versi\u00f3n 8.0.0."
    }
  ],
  "id": "CVE-2024-45296",
  "lastModified": "2025-01-24T20:15:32.680",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-09-09T19:15:13.330",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20250124-0001/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.