High severityNVD Advisory· Published Dec 5, 2024· Updated Apr 15, 2026
CVE-2024-52798
CVE-2024-52798
Description
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-to-regexpnpm | < 0.1.12 | 0.1.12 |
Patches
2640e694c6fd9f01c26a013b1Merge commit from fork
2 files changed · +13 −3
index.js+9 −3 modified@@ -72,20 +72,26 @@ function pathToRegexp(path, keys, options) { path = path.replace( /\\.|(\/)?(\.)?:(\w+)(\(.*?\))?(\*)?(\?)?|[.*]|\/\(/g, function (match, slash, format, key, capture, star, optional, offset) { - pos = offset + match.length; - if (match[0] === '\\') { backtrack += match; + pos += 2; return match; } if (match === '.') { backtrack += '\\.'; extraOffset += 1; + pos += 1; return '\\.'; } - backtrack = slash || format ? '' : path.slice(pos, offset); + if (slash || format) { + backtrack = ''; + } else { + backtrack += path.slice(pos, offset); + } + + pos = offset + match.length; if (match === '*') { extraOffset += 3;
test.js+4 −0 modified@@ -8,6 +8,10 @@ describe('path-to-regexp', function () { }, /path must be a string, array of strings, or regular expression/); }); + it('should generate a regex without backtracking', function () { + assert.deepEqual(pathToRegExp('/:a-:b'), /^(?:\/([^/]+?))-(?:((?:(?!\/|-).)+?))\/?$/i); + }); + describe('strings', function () { it('should match simple paths', function () { var params = [];
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-rhx6-c78j-4q9wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52798ghsaADVISORY
- blakeembrey.com/posts/2024-09-web-redosghsaWEB
- github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4nvdWEB
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9wnvdWEB
- security.netapp.com/advisory/ntap-20250124-0002ghsaWEB
- security.netapp.com/advisory/ntap-20250124-0002/nvd
News mentions
0No linked articles in our index yet.