HIGH · CVSS 7.5
CVE-2024-52798 — path-to-regexp ReDoS
A regular-expression denial-of-service (ReDoS) in path-to-regexp allowed attacker-supplied route patterns to trigger catastrophic backtracking, hanging the Node.js event loop.
Affects
- path-to-regexp < 8.0.0
What an attacker does
An attacker sends a crafted URL path matching a vulnerable route pattern (used in Express, Next.js, and many frameworks). The regex engine enters catastrophic backtracking; the event loop blocks; all concurrent requests fail.
How to detect
Check transitive lockfile for path-to-regexp < 8.0.0 via your framework dependencies.
How to fix
Upgrade your framework (Express 4.20.0+ / Next.js 14.2.15+) to pull the patched path-to-regexp.
How Securie catches it
Securie's transitive-vuln scanner traces this through your framework pins.