HIGH · CVSS 7.5
CVE-2024-45296 — path-to-regexp outage-backtracking variant
A second ReDoS pattern in path-to-regexp affecting route definitions with optional parameters, discovered after the primary CVE-2024-52798.
Affects
- path-to-regexp < 0.1.10
- path-to-regexp < 6.3.0
- path-to-regexp < 8.0.0
What an attacker does
Any Express / Next.js / Koa app with a route like `/:foo?/:bar?` was vulnerable. Crafted URLs hang the event loop during route matching.
How to detect
`npm ls path-to-regexp`.
How to fix
Upgrade Express / framework to current; path-to-regexp 0.1.10+ / 6.3.0+ / 8.0.0+.
How Securie catches it
Securie pairs this with the original CVE-2024-52798.