Miggo Logo
Miggo Vulnerability Database
CVE-2024-36751

CVE-2024-36751: parse-uri Regular expression Denial of Service (ReDoS)

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-36751
GHSA ID
GHSA-6fx8-h7jm-663j
EPSS Score
0.21158%
CWE
CWE-185
Published
1/16/2025
Updated
2/3/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
parse-urinpm<= 1.0.9
parseurinpm< 2.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub issue #14 explicitly references vulnerable regex patterns in parse-uri's index.js lines 28-29 used by the parseUri function. The PoC demonstrates ReDoS through this function. For parseuri package (<2.0.0), the advisory links it to the same CVE but lacks direct code references - the medium confidence comes from package similarity and shared vulnerability description. Both CWEs (185/1333) indicate regex implementation flaws as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in p*rs*-uri v*.*.* *llows *tt**k*rs to **us* * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) vi* * *r**t** URL.

Reasoning

T** *it*u* issu* #** *xpli*itly r***r*n**s vuln*r**l* r***x p*tt*rns in `p*rs*-uri's` `in**x.js` lin*s **-** us** *y t** `p*rs*Uri` *un*tion. T** Po* **monstr*t*s R**oS t*rou** t*is *un*tion. *or `p*rs*uri` p**k*** (<*.*.*), t** **visory links it to