[Pkg-javascript-devel] Bug#1081656: node-path-to-regexp: CVE-2024-45296
Moritz Mühlenhoff
jmm at inutil.org
Fri Sep 13 16:32:49 BST 2024
Source: node-path-to-regexp
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-path-to-regexp.
CVE-2024-45296[0]:
| path-to-regexp turns path strings into a regular expressions. In
| certain cases, path-to-regexp will output a regular expression that
| can be exploited to cause poor performance. Because JavaScript is
| single threaded and regex matching runs on the main thread, poor
| performance will block the event loop and lead to a DoS. The bad
| regular expression is generated any time you have two parameters
| within a single segment, separated by something that is not a period
| (.). For users of 0.1, upgrade to 0.1.10. All other users should
| upgrade to 8.0.0.
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6 (v8.0.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45296
https://www.cve.org/CVERecord?id=CVE-2024-45296
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list