CVE-2024-36751 – This vulnerability in parse-uri v1.0.9 allows a... (How to Fix)

Q: What is the severity of CVE-2024-36751?

CVE-2024-36751 has a CVSS score of 6.5 (MEDIUM). This vulnerability in parse-uri v1.0.9 allows attackers to cause a Denial of Service (DoS) by sending specially crafted URLs that trigger inefficient regular expression processing. Anyone using the affected parse-uri library version in their applications is vulnerable to service disruption.

📋 TL;DR

This vulnerability in parse-uri v1.0.9 allows attackers to cause a Denial of Service (DoS) by sending specially crafted URLs that trigger inefficient regular expression processing. Anyone using the affected parse-uri library version in their applications is vulnerable to service disruption.

💻 Affected Systems

Products:

parse-uri

Versions: v1.0.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using parse-uri v1.0.9 to parse URLs is vulnerable regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from ReDoS, potentially affecting all users of the vulnerable application.

🟠

Likely Case

Degraded performance or temporary service disruption for users accessing the vulnerable endpoint with malicious URLs.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub issue. Exploitation requires sending a malicious URL to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.10 or later

Vendor Advisory: https://github.com/Kikobeats/parse-uri/issues/14

Restart Required: No

Instructions:

1. Update parse-uri dependency to v1.0.10 or later. 2. Run npm update parse-uri or yarn upgrade parse-uri. 3. Test application functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict URL validation before passing to parse-uri library

Rate limiting

all

Implement request rate limiting to prevent DoS attacks

🧯 If You Can't Patch

Implement WAF rules to block suspicious URL patterns
Monitor CPU usage and implement automatic throttling on high load

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for parse-uri version 1.0.9

Check Version:

npm list parse-uri

Verify Fix Applied:

Verify parse-uri version is 1.0.10 or later in package.json

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Unusually long URL processing times
Multiple failed requests with similar URL patterns

Network Indicators:

Multiple requests with unusually long or complex URLs
Requests causing timeout responses

SIEM Query:

source="application_logs" AND (message="CPU spike" OR message="timeout" OR url_length>1000)

📊 Metadata

CVE ID: CVE-2024-36751

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

EPSS Score: 0.06% exploit probability (19.1th percentile)

Published: January 15, 2025

Last Updated: February 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36751, you might also want to check these: