CVE-2024-45296

Name of the Vulnerable Software and Affected Versions path-to-regexp versions prior to 0.1.10 path-to-regexp versions prior to 8.0.0

Description The issue arises when path-to-regexp generates a regular expression that can cause poor performance, leading to a Denial of Service (DoS). This occurs when there are two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b can produce a regular expression that can be exploited. The estimated impact is significant, with performance being over 1000x worse than safe regex in local benchmarks. In a realistic environment, this can result in average latency of ~600ms vs 1ms.

Recommendations For users of 0.1, upgrade to 0.1.10. For all other users, upgrade to 8.0.0. As a temporary workaround, consider providing a custom regular expression for parameters after the first in a single segment, ensuring it does not match the text before the parameter. Alternatively, limit the URL length to improve performance, for example, by halving the attack string, which can improve performance by 4x faster.