Published
Last updated
Unpatched path-to-regexp
ReDoS in 0.1.x
The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp
, originally reported in CVE-2024-45296
Upgrade to 0.1.12.
Avoid using two parameters within a single path segment, when the separator is not .
(e.g. no /:a-:b
). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.