Source: node-path-to-regexp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for node-path-to-regexp. CVE-2024-45296[0]: | path-to-regexp turns path strings into a regular expressions. In | certain cases, path-to-regexp will output a regular expression that | can be exploited to cause poor performance. Because JavaScript is | single threaded and regex matching runs on the main thread, poor | performance will block the event loop and lead to a DoS. The bad | regular expression is generated any time you have two parameters | within a single segment, separated by something that is not a period | (.). For users of 0.1, upgrade to 0.1.10. All other users should | upgrade to 8.0.0. https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6 (v8.0.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45296 https://www.cve.org/CVERecord?id=CVE-2024-45296 Please adjust the affected versions in the BTS as needed.
