CVE-2024-45296: 
JavaScript vulnerability analysis and mitigation

path-to-regexp is a package that turns path strings into regular expressions. A vulnerability was discovered where in certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The vulnerability affects versions prior to 0.1.10, 0.2.0 prior to 1.9.0, 2.0.0 prior to 3.3.0, 4.0.0 prior to 6.3.0, and 7.0.0 prior to 8.0.0. The issue was disclosed on September 9, 2024 (GitHub Advisory).

The vulnerability occurs when two parameters are present within a single segment, separated by something that is not a period (.). For example, using the pattern '/:a-:b' will produce the regular expression /^/(^\/+?)-(^\/+?)/?$/. This can be exploited by paths containing repeated patterns that trigger backtracking in the regular expression engine. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a Denial of Service (DoS). In local benchmarks, exploiting the unsafe regex resulted in performance that is over 1000x worse than the safe regex. In a realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms (GitHub Advisory).

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0. These versions add backtrack protection when a custom regex pattern is not provided. For versions that cannot be upgraded, a workaround is to provide a custom regular expression for parameters after the first in a single segment. For example, change /:a-:b to /:a-:b(^-/+). Another alternative is to limit the URL length, as halving the attack string improves performance by 4x (GitHub Advisory).