Bug 2310908 (CVE-2024-45296) - CVE-2024-45296 path-to-regexp: Backtracking regular expressions cause ReDoS
Summary: CVE-2024-45296 path-to-regexp: Backtracking regular expressions cause ReDoS
Keywords:
Status: NEW
Alias: CVE-2024-45296
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2311005 2311007 2311009 2310984 2310985 2310986 2310987 2310988 2310989 2310990 2310991 2310992 2310993 2310994 2310995 2310996 2310997 2310998 2310999 2311000 2311001 2311002 2311004 2311006 2311008 2311010 2311011
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-09 19:20 UTC by OSIDB Bzimport
Modified: 2025-05-22 00:15 UTC (History)
171 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:10236 0 None None None 2024-11-25 18:24:44 UTC
Red Hat Product Errata RHSA-2024:10762 0 None None None 2024-12-03 16:17:10 UTC
Red Hat Product Errata RHSA-2024:10906 0 None None None 2024-12-10 01:37:59 UTC
Red Hat Product Errata RHSA-2024:11023 0 None None None 2024-12-12 20:00:46 UTC
Red Hat Product Errata RHSA-2024:7599 0 None None None 2024-10-09 05:33:00 UTC
Red Hat Product Errata RHSA-2024:7726 0 None None None 2024-10-07 09:25:00 UTC
Red Hat Product Errata RHSA-2024:7922 0 None None None 2024-10-16 02:40:50 UTC
Red Hat Product Errata RHSA-2024:8014 0 None None None 2024-10-22 01:06:33 UTC
Red Hat Product Errata RHSA-2024:8676 0 None None None 2024-10-30 14:33:27 UTC
Red Hat Product Errata RHSA-2025:0082 0 None None None 2025-01-08 11:31:40 UTC
Red Hat Product Errata RHSA-2025:0164 0 None None None 2025-01-09 11:28:22 UTC
Red Hat Product Errata RHSA-2025:0323 0 None None None 2025-01-15 01:20:09 UTC
Red Hat Product Errata RHSA-2025:0664 0 None None None 2025-01-23 13:02:53 UTC
Red Hat Product Errata RHSA-2025:0875 0 None None None 2025-02-05 10:49:16 UTC

Description OSIDB Bzimport 2024-09-09 19:20:42 UTC 
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Comment 2 errata-xmlrpc 2024-10-07 09:24:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.6 for RHEL 8
  Red Hat OpenShift Service Mesh 2.6 for RHEL 9

Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
Comment 3 errata-xmlrpc 2024-10-09 05:32:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:7599 https://access.redhat.com/errata/RHSA-2024:7599
Comment 4 errata-xmlrpc 2024-10-16 02:40:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922
Comment 5 errata-xmlrpc 2024-10-22 01:06:24 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.7.0-RHEL-9

Via RHSA-2024:8014 https://access.redhat.com/errata/RHSA-2024:8014
Comment 6 errata-xmlrpc 2024-10-30 14:33:17 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
Comment 7 errata-xmlrpc 2024-11-25 18:24:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2024:10236 https://access.redhat.com/errata/RHSA-2024:10236
Comment 8 errata-xmlrpc 2024-12-03 16:17:01 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:10762 https://access.redhat.com/errata/RHSA-2024:10762
Comment 9 errata-xmlrpc 2024-12-10 01:37:49 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906
Comment 10 errata-xmlrpc 2024-12-12 20:00:37 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:11023 https://access.redhat.com/errata/RHSA-2024:11023
Comment 11 errata-xmlrpc 2025-01-08 11:31:30 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
Comment 12 errata-xmlrpc 2025-01-09 11:28:12 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:0164 https://access.redhat.com/errata/RHSA-2025:0164
Comment 13 errata-xmlrpc 2025-01-15 01:19:58 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:0323 https://access.redhat.com/errata/RHSA-2025:0323
Comment 14 errata-xmlrpc 2025-01-23 13:02:43 UTC 
This issue has been addressed in the following products:

  RHOSS-1.35-RHEL-8

Via RHSA-2025:0664 https://access.redhat.com/errata/RHSA-2025:0664
Comment 16 errata-xmlrpc 2025-02-05 10:49:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875
Note You need to log in before you can comment on or make changes to this bug.