CVE-2024-52798 – Regular Expression Denial of Service (ReDoS)

Severity: None2025-12-19

Security Advisories

Abstract

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

The Oxygen products incorporate path-to-regexp (transitively via Express) as a third-party library. This advisory was opened to address the potential impact of this third-party library’s vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v7.1 and olderNoneOxygen Content Fusion 8.0 build 2025031016

Mitigation

None

Detail

CVE-2024-52798

Severity: High

CVSS Score: 7.7

CVE-2024-52798 is a Regular Expression Denial of Service (ReDoS) issue in the 0.1.x releases of the path-to-regexp library. In certain cases, the library can generate a regular expression that is susceptible to excessive backtracking, potentially causing performance degradation under malicious input. The issue stems from an incomplete fix for CVE-2024-45296 and is addressed by upgrading to path-to-regexp 0.1.12.

We reviewed our usage of Express (which includes path-to-regexp) in Oxygen Content Fusion. We do not process user-controlled input with custom regular expressions. Given this usage, we assess the vulnerability as not exploitable in our products.

Starting with Oxygen Content Fusion version 8.0 build 2025031016 path-to-regexp was updated to a non-vulnerable version.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor