CVE-2024-45296
Regular Expression Denial of Service (ReDoS) vulnerability in path-to-regexp (npm)

Regular Expression Denial of Service (ReDoS) No known exploit Fixable By Resolved Security

What is CVE-2024-45296 About?

This ReDoS vulnerability in `path-to-regexp` occurs when two parameters exist in a single segment without a period separator (e.g., `/:a-:b`). A specially crafted malicious path can cause severe performance degradation, leading to a denial of service. The vulnerability is easy to trigger with a specific long input string.

Affected Software

  • path-to-regexp
    • >4.0.0, <6.3.0
    • >7.0.0, <8.0.0
    • >2.0.0, <3.3.0
    • >0.2.0, <1.9.0
    • <0.1.10

Technical Details

The vulnerability stems from the way path-to-regexp generates regular expressions for paths containing multiple parameters within a single segment, separated by non-period characters (e.g., /:a-:b). This pattern can lead to the creation of a 'catastrophic backtracking' regex. An attacker can exploit this by sending a long, specially crafted URL path (e.g., /a${'-a'.repeat(8_000)}/a) which, despite never matching the route, forces the regex engine to backtrack excessively. Since JavaScript is single-threaded, this enormous processing overhead on the main thread blocks the event loop, causing severe performance degradation and a denial of service for the application.

What is the Impact of CVE-2024-45296?

Successful exploitation may allow attackers to cause severe performance degradation, blocking the event loop and potentially leading to a complete denial of service for the application.

What is the Exploitability of CVE-2024-45296?

Exploitation has low complexity and requires no authentication or special privileges. It is a remote vulnerability, as an attacker only needs to send a crafted URL to the web server. The primary prerequisite is that the application uses path-to-regexp with vulnerable patterns like /:a-:b and does not have the latest patches or workarounds applied. While specific knowledge of the URL structure is helpful, the attack string pattern is relatively generic for ReDoS. The lack of URL length limits also increases the risk of successful exploitation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-45296?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

This patch addresses CVE-2024-45296 by improving the way the pathToRegexp library handles parameter patterns in path templates, preventing ambiguous adjacent parameters and generating stricter regular expressions that avoid polynomial-time (ReDoS) behavior. It introduces checks to ensure there is mandatory text between parameters and disallows certain repeating patterns without clear boundaries, thereby eliminating the possibility of crafted input causing catastrophic backtracking.

Available Upgrade Options

  • path-to-regexp
    • <0.1.10 → Upgrade to 0.1.10
  • path-to-regexp
    • >0.2.0, <1.9.0 → Upgrade to 1.9.0
  • path-to-regexp
    • >2.0.0, <3.3.0 → Upgrade to 3.3.0
  • path-to-regexp
    • >4.0.0, <6.3.0 → Upgrade to 6.3.0
  • path-to-regexp
    • >7.0.0, <8.0.0 → Upgrade to 8.0.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-45296?

Similar Vulnerabilities: CVE-2023-45133 , CVE-2022-25925 , CVE-2021-23371 , CVE-2020-28168 , CVE-2019-10744

All Rights reserved 2025
Privacy Policy