CVE-2024-45296 in path-to-regexp
Summary
by MITRE • 09/09/2024
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/19/2025
The vulnerability identified as CVE-2024-45296 affects the path-to-regexp library, a widely used npm package for converting path strings into regular expressions. This library serves as a fundamental component in web applications and frameworks that handle URL routing, making it a critical element in the web infrastructure ecosystem. The issue stems from the library's handling of path parameters within URL segments, creating a potential performance degradation that can be exploited for denial-of-service attacks.
The technical flaw manifests when the library processes paths containing multiple parameters within a single segment separated by characters other than periods. This specific condition triggers the generation of suboptimal regular expressions that exhibit exponential backtracking behavior during pattern matching. The resulting regular expressions are particularly problematic because they can cause the JavaScript engine to spend excessive computational resources during regex evaluation, leading to significant performance degradation. This vulnerability is classified under CWE-400 as an Uncontrolled Resource Consumption, specifically manifesting as a denial-of-service condition.
The operational impact of this vulnerability extends beyond simple performance degradation to encompass complete application unavailability. In JavaScript environments, regular expression matching occurs on the main thread, which is responsible for handling all user interactions, event processing, and application logic. When a maliciously crafted path triggers the vulnerable regular expression, it blocks the event loop for extended periods, effectively freezing the application and preventing any further processing. This behavior aligns with ATT&CK technique T1499.004, which covers Network Denial of Service through resource exhaustion, and represents a classic example of how seemingly benign library functions can become attack vectors when improperly implemented.
The vulnerability affects all versions of path-to-regexp prior to 8.0.0, with specific mention of version 0.1 requiring an upgrade to 0.1.10 for the fix. The remediation strategy involves immediate upgrading to the patched versions, which contain optimized regular expression generation algorithms that eliminate the problematic backtracking patterns. Organizations should conduct comprehensive testing to ensure that the upgrade does not introduce any compatibility issues in their routing logic, particularly in complex applications with extensive URL parameter handling. Security teams should also implement monitoring for unusual processing patterns that might indicate exploitation attempts, as the vulnerability can be leveraged by attackers to disrupt services without requiring authentication or special privileges. The fix demonstrates the importance of proper regex design and the potential consequences of inadequate performance testing in widely used open source components.