CVE-2024-52798

HIGH

path-to-regexp <0.1.12 - Info Disclosure

Title source: llm

Description

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

References (3)

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20250124-0002/

[Vendor Advisory] https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w

[Patch] https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4

View Patch ZIP pw:eip

Scores

CVSS v4 7.7

EPSS 0.0029

EPSS Percentile 52.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

npm/path-to-regexp 0 - 0.1.12npm

pillarjs/path-to-regexp < 0.1.12

Published Dec 05, 2024

Tracked Since Feb 18, 2026