npm - path-to-regexp - Versions - 0.1.10 - Mend

path-to-regexp 0.1.10

1 security vulnerability found in version 0.1.10

path-to-regexp contains a ReDoS

high severity CVE-2024-52798

Affected versions: < 0.1.12

Impact

The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

https://github.com/advisories/GHSA-9wv6-86v2-598j
https://blakeembrey.com/posts/2024-09-web-redos/

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.