Miggo Logo
Miggo Vulnerability Database
CVE-2024-45813

CVE-2024-45813:
find-my-way has a ReDoS vulnerability in multiparametric routes

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-45813
GHSA ID
GHSA-rrr8-f88r-h8q6
EPSS Score
0.22236%
CWE
CWE-1333
Published
9/18/2024
Updated
10/7/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
find-my-waynpm>= 9.0.0, < 9.0.19.0.1
find-my-waynpm>= 5.5.0, < 8.2.28.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how regex patterns are generated for routes with multiple parameters in a single segment. The commit diff shows critical changes in index.js's _on() and findRoute() methods, where regexps.push('(.*?)') was replaced with backtrack-aware patterns. These functions previously created non-atomic greedy quantifiers that allowed exponential backtracking when parameters were separated by hyphens. The CWE-1333 classification and test case changes confirming parameter parsing behavior further validate this analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *** r**ul*r *xpr*ssion is **n*r*t** *ny tim* you **v* two p*r*m*t*rs wit*in * sin*l* s**m*nt, w**n ***in* * `-` *t t** *n*, lik* `/:*-:*-`. ### P*t***s Up**t* to *in*-my-w*y v*.*.* or v*.*.*. or su*s*qu*nt v*rsions. ### Work*roun*s

Reasoning

T** vuln*r**ility st*ms *rom *ow r***x p*tt*rns *r* **n*r*t** *or rout*s wit* multipl* p*r*m*t*rs in * sin*l* s**m*nt. T** *ommit *i** s*ows *riti**l ***n**s in in**x.js's _on() *n* *in*Rout*() m*t*o*s, w**r* r***xps.pus*('(.*?)') w*s r*pl**** wit* *