-
-
Notifications
You must be signed in to change notification settings - Fork 16.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unpatched path-to-regexp
ReDoS in 0.1.x (CVE-2024-52798, CVE-2024-45296)
#6216
Comments
I’ve noticed an issue with how pnpm handles automatic vulnerability fixes. When a package version is updated, pnpm uses the >= prefix, for example:
This allows pnpm to install any version starting from 0.1.12 and above, including newer major versions like 3.3.0. However, this can lead to compatibility issues if the package consuming the dependency is not prepared for a major version upgrade.
This would ensure that the installed version stays below 1.0.0, preventing unexpected major version upgrades while still addressing vulnerabilities. |
In any case, the version of the dependent package should be updated. There are no changes that could break the express package: |
updating path-to-regexp to v0.1.12 causes some weired invalid rexex errors here Will copy stack trace later |
here's the error:
|
Hi @dbas-dn, could you let us know the version of Express you are using? Version 4.21.2 was recently released, which includes an update to the dependency and addresses the vulnerability |
in v4, path-to-regexp is actually pinned: anyway, this was patched in 4.21.2 |
@viceice I would recommend opening that as a new issue, but unfortunately in the process of trying to fix the CVE in V4 I had to sacrifice some previously valid paths due to ambiguity in the ['/-/verdaccio/data/package/readme/@:scope/:package/:version?', '/-/verdaccio/data/package/readme/:package/:version?'] This isn't ideal, but the way the backtracking protection has been written is that it assumed everything prior to the parameter was regular characters, while clearly |
This honestly just resulted in an outage for me, with the same error as #6216 (comment). I wasn't expecting a patch release to be a breaking change that causes the entire application to collapse without any changes to the code. |
CVE-2024-52798
CVE-2024-45296
A new vulnerability has appeared in a dependent package.
When forcibly updating to version 0.1.12, an error occurs: TypeError: pathRegexp is not a function.
The text was updated successfully, but these errors were encountered: