CVE-2024-45296
📋 TL;DR
CVE-2024-45296 is a denial-of-service vulnerability in the path-to-regexp library where certain path patterns generate inefficient regular expressions. When exploited, these regex patterns cause excessive CPU consumption that blocks the JavaScript event loop, leading to application unresponsiveness. This affects any application using vulnerable versions of path-to-regexp for URL routing or path matching.
💻 Affected Systems
- path-to-regexp library
- Applications using path-to-regexp for routing
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application denial-of-service where the Node.js process becomes unresponsive, requiring restart and causing extended downtime.
Likely Case
Application performance degradation and intermittent unresponsiveness when malicious requests trigger the vulnerable path patterns.
If Mitigated
Minimal impact with proper rate limiting, request validation, and updated library versions.
🎯 Exploit Status
Exploitation requires sending requests to endpoints using vulnerable path patterns. The advisory includes specific pattern examples that trigger the issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.10 for 0.1.x branch, 8.0.0 for all other branches
Vendor Advisory: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
Restart Required: Yes
Instructions:
1. Check current path-to-regexp version in package.json. 2. Update to 0.1.10 if using 0.1.x. 3. Update to 8.0.0 if using any other version. 4. Run npm update or yarn upgrade. 5. Restart the application.
🔧 Temporary Workarounds
Input validation for path patterns
allReject or sanitize path patterns containing two parameters in a single segment separated by non-period characters
Rate limiting
allImplement request rate limiting to prevent DoS attacks
🧯 If You Can't Patch
- Implement WAF rules to block requests matching vulnerable path patterns
- Use reverse proxy with regex timeout limits and request filtering
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for path-to-regexp version. Versions <0.1.10 (for 0.1.x) or <8.0.0 (for other branches) are vulnerable.Check Version:
npm list path-to-regexp or check package.jsonVerify Fix Applied:
Verify path-to-regexp version is 0.1.10+ (0.1.x) or 8.0.0+ (other branches) after update. Test with known vulnerable path patterns.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Increased request processing times
- Application timeout errors
- Requests with patterns like '/:param1-:param2'
Network Indicators:
- Repeated requests to same endpoint with varying parameters
- Unusually high request volume to specific routes
SIEM Query:
source="application.logs" AND (message="high cpu" OR message="timeout" OR message="event loop blocked") AND process="node"🔗 References
- https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f
- https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
- https://security.netapp.com/advisory/ntap-20250124-0001/
