CVE-2024-45296 - Path-to-Regexp Vulnerability Leading to Potential Denial of Service Attacks

Path-to-Regexp is a popular library for working with routes and paths in JavaScript web applications. It has been widely used in projects such as Express.js, React Router, Vue Router, and more. The library provides a simple mechanism to convert path strings to regular expressions, which can then be used for matching and parsing URL paths.

Recently, a vulnerability has been discovered in the path-to-regexp library which, under certain conditions, generates a poorly performing regular expression. This can ultimately lead to performance degradation and Denial of Service (DoS) attacks. In this post, we will discuss the vulnerability, the exploit, and steps to mitigate the risk.

Vulnerability Details

The vulnerability lies in the generation of a bad regular expression by the path-to-regexp library when there are two parameters within a single segment, separated by a character other than a period (.). This poorly constructed regular expression can be exploited to cause a significant performance hit for the application, which in turn can lead to a DoS attack.

Since JavaScript is single-threaded, running any long-running regex matching operation on the main thread will block other operations in the event loop, effectively making the application unresponsive. The more users an application has, the more impactful the DoS attack becomes.

Here's a code snippet that demonstrates the generation of an exploitable regular expression

const pathToRegexp = require('path-to-regexp');

// Vulnerable path
const vulnerablePath = '/:parameter1-:parameter2';

// Generate regular expression
const regexp = pathToRegexp(vulnerablePath);

// Test against an input string
const input = '/AAAAAAAAAA-';
const result = regexp.exec(input);

In this example, the path /AAAAAAAAAA- will cause the regular expression to take a significantly long time to run, rendering the application unresponsive.

Mitigation Measures

To prevent any similar exploits in your projects, you should upgrade your path-to-regexp library version. If you are using version .1, upgrade to .1.10, and all other users should upgrade to 8...

For version .1 users

npm i path-to-regexp@.1.10

For other users

npm i path-to-regexp@8..

After upgrading the library, thoroughly test your application to ensure that it is no longer vulnerable to this exploit.

Original References

- path-to-regexp GitHub repository
- CVE-2024-45296 - NVD entry
- NPM Advisory in path-to-regexp

Conclusion

The path-to-regexp vulnerability highlights the need to continually monitor and update your dependencies, as new vulnerabilities can emerge over time. By staying up-to-date with both the direct and indirect dependencies of your projects, you minimize the risk of your applications being vulnerable to attacks.

We encourage you to always follow best practices and keep track of the latest security advisories, to ensure the safety and performance of your applications.

Timeline

Published on: 09/09/2024 19:15:13 UTC
Last modified on: 09/10/2024 12:09:50 UTC