High severity7.5OSV Advisory· Published Sep 9, 2024· Updated Apr 15, 2026
CVE-2024-45296
CVE-2024-45296
Description
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-to-regexpnpm | >= 0.2.0, < 1.9.0 | 1.9.0 |
path-to-regexpnpm | < 0.1.10 | 0.1.10 |
path-to-regexpnpm | >= 7.0.0, < 8.0.0 | 8.0.0 |
path-to-regexpnpm | >= 2.0.0, < 3.3.0 | 3.3.0 |
path-to-regexpnpm | >= 4.0.0, < 6.3.0 | 6.3.0 |
Affected products
133- Range: 0.0.2, 0.1.0, v0.1.1, …
- osv-coords132 versionspkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/grafana-10.4pkg:apk/chainguard/grafana-10.4-oci-compatpkg:apk/chainguard/grafana-fips-10.4pkg:apk/chainguard/grafana-fips-10.4-oci-compatpkg:apk/chainguard/grafana-oci-compatpkg:apk/chainguard/kibana-8pkg:apk/chainguard/kibana-8-bitnamipkg:apk/chainguard/kibana-8-iamguardedpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-compatpkg:apk/chainguard/opensearch-dashboards-2-configpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-configpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/chainguard/sqlpadpkg:apk/chainguard/sqlpad-compatpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/chainguard/vitess-18pkg:apk/chainguard/vitess-18.0pkg:apk/chainguard/vitess-18.0-binariespkg:apk/chainguard/vitess-18-binariespkg:apk/chainguard/vitess-20pkg:apk/chainguard/vitess-20.0pkg:apk/chainguard/vitess-20.0-binariespkg:apk/chainguard/vitess-20.0-compatpkg:apk/chainguard/vitess-20-binariespkg:apk/chainguard/vitess-20-compatpkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/grafana-10.4pkg:apk/wolfi/grafana-oci-compatpkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-compatpkg:apk/wolfi/opensearch-dashboards-2-configpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/sqlpadpkg:apk/wolfi/sqlpad-compatpkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:apk/wolfi/vitess-20pkg:apk/wolfi/vitess-20.0pkg:apk/wolfi/vitess-20.0-binariespkg:apk/wolfi/vitess-20.0-compatpkg:apk/wolfi/vitess-20-binariespkg:apk/wolfi/vitess-20-compatpkg:npm/path-to-regexppkg:rpm/opensuse/argocd-cli&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
< 3.6.0-r1+ 131 more
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 10.4.8-r3
- (no CPE)range: < 10.4.8-r3
- (no CPE)range: < 10.4.8-r2
- (no CPE)range: < 10.4.8-r2
- (no CPE)range: < 10.4.8-r3
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 1.9.0-r3
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 7.5.0-r1
- (no CPE)range: < 7.5.0-r1
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 18.0.8-r16
- (no CPE)range: < 18.0.8-r0
- (no CPE)range: < 18.0.8-r0
- (no CPE)range: < 18.0.8-r16
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 20.0.3-r0
- (no CPE)range: < 20.0.3-r0
- (no CPE)range: < 20.0.3-r0
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 3.6.0-r1
- (no CPE)range: < 10.4.8-r3
- (no CPE)range: < 10.4.8-r3
- (no CPE)range: < 1.9.0-r3
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.2.0-r12
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 2.19.1-r3
- (no CPE)range: < 7.5.0-r1
- (no CPE)range: < 7.5.0-r1
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 20.0.3-r0
- (no CPE)range: < 20.0.3-r0
- (no CPE)range: < 20.0.3-r0
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: < 20.0.8-r8
- (no CPE)range: >= 0.2.0, < 1.9.0
- (no CPE)range: < 2.12.4-1.1
- (no CPE)range: < 0.7.0.4.git142.862ef23-1.1
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-9wv6-86v2-598jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45296ghsaADVISORY
- github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476fnvdWEB
- github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6nvdWEB
- github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485ghsaWEB
- github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942efghsaWEB
- github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894ghsaWEB
- github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0ghsaWEB
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598jnvdWEB
- security.netapp.com/advisory/ntap-20250124-0001ghsaWEB
- security.netapp.com/advisory/ntap-20250124-0001/nvd
News mentions
0No linked articles in our index yet.