path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
History

Wed, 18 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.11::el9

Thu, 19 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.11::el9
cpe:/a:redhat:multicluster_engine:2.6::el8
cpe:/a:redhat:multicluster_engine:2.6::el9

Fri, 13 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhboac Hawtio
CPEs cpe:/a:redhat:rhboac_hawtio:4.0.0
Vendors & Products Redhat rhboac Hawtio

Thu, 12 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Distributed Tracing
CPEs cpe:/a:redhat:openshift_distributed_tracing:3.4::el8
Vendors & Products Redhat openshift Distributed Tracing

Tue, 10 Dec 2024 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhmt
CPEs cpe:/a:redhat:rhmt:1.8::el8
Vendors & Products Redhat rhmt

Sat, 07 Dec 2024 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat acm
Redhat multicluster Engine
CPEs cpe:/a:redhat:acm:2.12::el9
cpe:/a:redhat:multicluster_engine:2.7::el8
cpe:/a:redhat:multicluster_engine:2.7::el9
Vendors & Products Redhat acm
Redhat multicluster Engine

Wed, 04 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ansible Automation Platform
CPEs cpe:/a:redhat:ansible_automation_platform:2.4::el8
cpe:/a:redhat:ansible_automation_platform:2.4::el9
Vendors & Products Redhat ansible Automation Platform

Wed, 27 Nov 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Devspaces
CPEs cpe:/a:redhat:openshift_devspaces:3::el8
Vendors & Products Redhat openshift Devspaces

Fri, 22 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat trusted Profile Analyzer
CPEs cpe:/a:redhat:trusted_profile_analyzer:1.2::el9
Vendors & Products Redhat trusted Profile Analyzer

Thu, 31 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Data Foundation
CPEs cpe:/a:redhat:openshift_data_foundation:4.17::el9
Vendors & Products Redhat openshift Data Foundation

Wed, 30 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Gitops
CPEs cpe:/a:redhat:openshift_gitops:1.13::el8
Vendors & Products Redhat openshift Gitops

Tue, 22 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat network Observ Optr
CPEs cpe:/a:redhat:network_observ_optr:1.7.0::el9
Vendors & Products Redhat network Observ Optr

Wed, 16 Oct 2024 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.17::el9

Wed, 09 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift
CPEs cpe:/a:redhat:openshift:4.16::el9
Vendors & Products Redhat openshift

Tue, 08 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat service Mesh
CPEs cpe:/a:redhat:service_mesh:2.6::el8
cpe:/a:redhat:service_mesh:2.6::el9
Vendors & Products Redhat service Mesh

Thu, 03 Oct 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat logging
CPEs cpe:/a:redhat:logging:5.9::el9
Vendors & Products Redhat
Redhat logging

Tue, 10 Sep 2024 07:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 09 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Pillarjs
Pillarjs path-to-regexp
CPEs cpe:2.3:a:pillarjs:path-to-regexp:*:*:*:*:*:*:*:*
Vendors & Products Pillarjs
Pillarjs path-to-regexp
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 09 Sep 2024 19:15:00 +0000

Type Values Removed Values Added
Description path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Title path-to-regexp outputs backtracking regular expressions
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-09T19:07:40.313Z

Updated: 2024-09-09T19:38:12.783Z

Reserved: 2024-08-26T18:25:35.442Z

Link: CVE-2024-45296

cve-icon Vulnrichment

Updated: 2024-09-09T19:38:02.181Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-09T19:15:13.330

Modified: 2024-09-10T12:09:50.377

Link: CVE-2024-45296

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-09T19:15:13Z

Links: CVE-2024-45296 - Bugzilla