CVE-2024-45296 – Regular Expression Denial of Service (ReDoS)

Abstract

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

The Oxygen products incorporate the path-to-regexp library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

Mitigation

None

Detail

CVE-2024-45296

Severity: High

CVSS Score: 7.5

CVE-2024-45296 is a Regular Expression Denial of Service (ReDoS) in the path-to-regexp library. Certain path patterns that contain two parameters within a single segment, separated by a non-dot character, can generate a regular expression with catastrophic backtracking. In Node.js environments, regex evaluation runs on the main thread, so an attacker-crafted path may cause significant performance degradation and temporary denial of service.

After review, we concluded our products are not affected in supported configurations. Oxygen Content Fusion registers only a catch-all route pattern ("/*"), which does not create the vulnerable expression described by CVE-2024-45296.