Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-45813
CVE-2024-45813:
JavaScript vulnerability analysis and mitigation
Overview
A regular expression denial of service (ReDoS) vulnerability was discovered in find-my-way, a fast, open source HTTP router that uses a Radix Tree. The vulnerability (CVE-2024-45813) occurs when a bad regular expression is generated when having two parameters within a single segment with a '-' at the end, such as '/:a-:b-'. The issue was disclosed on September 18, 2024, affecting versions < 8.2.2 and 9.0.0 of the package (GitHub Advisory).
Technical details
The vulnerability stems from the way regular expressions are generated for routes with multiple parameters in a single segment. When a route pattern contains two parameters separated by a hyphen and ending with a hyphen (e.g., '/:a-:b-'), the generated regular expression can cause excessive backtracking. For example, matching against a path like '/flights/' + '-'.repeat(16_000) + '/x' can take 300ms instead of the expected sub-millisecond processing time (Web ReDoS). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).
Impact
The vulnerability can lead to a denial of service condition when processing specially crafted URLs. When exploited, it can cause excessive CPU usage due to backtracking in the regular expression engine, potentially making the service unresponsive. However, the impact is somewhat limited as the pattern of using more than one parameter within slashes is extremely rare in typical API implementations (Web ReDoS).
Mitigation and workarounds
Users are advised to update to find-my-way version 8.2.2 or v9.0.1 or subsequent versions, which include patches for this vulnerability. For version 8, regex features have been removed to prevent exploitation. For earlier versions, users can mitigate the vulnerability by manually defining the parameters' regular expression when two or more parameters exist in a single segment, for example using '/flights/:from-:to(\w+)'. As long as the first or second parameter does not include '-' in the match, it is safe (Web ReDoS).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management