7.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-52798

CVE-2024-52798: Unpatched `path-to-regexp` ReDoS in 0.1.x

Impact

The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

https://github.com/advisories/GHSA-9wv6-86v2-598j
https://blakeembrey.com/posts/2024-09-web-redos/

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-52798

CVE-2024-52798:

7.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
path-to-regexp	npm	< 0.1.12	0.1.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a ReDoS (Regular Expression Denial of Service) in the path-to-regexp library. The provided commit f01c26a013b1889f0c217c643964513acf17f6a4 directly patches the index.js file. The core logic change occurs within the pathToRegexp function. This function takes a path string and converts it into a regular expression. The patch modifies how this conversion happens, specifically how the backtrack variable is handled and how the pos (position) variable is updated within the callback of a path.replace call. These changes are intended to prevent the generation of regular expressions that are susceptible to catastrophic backtracking. Therefore, the pathToRegexp function is the primary function involved in the vulnerability, as it's responsible for generating the problematic regular expressions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-52798: Unpatched `path-to-regexp` ReDoS in 0.1.x

Impact

Patches

Workarounds

References

CVE-2024-52798:

7.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.7

7.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-52798: Unpatched `path-to-regexp` ReDoS in 0.1.x

Impact

Patches

Workarounds

References

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI