High severityOSV Advisory· Published Dec 5, 2024· Updated Apr 15, 2026
CVE-2024-52798
CVE-2024-52798
Description
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-to-regexpnpm | < 0.1.12 | 0.1.12 |
Affected products
66- Range: 0.0.2, 0.1.0, v0.1.1, …
- osv-coords65 versionspkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/grafana-image-rendererpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/sqlpadpkg:apk/chainguard/sqlpad-compatpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-compatpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/tileserver-gl-fips-compatpkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/grafana-image-rendererpkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:apk/wolfi/sqlpadpkg:apk/wolfi/sqlpad-compatpkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:apk/wolfi/tileserver-glpkg:apk/wolfi/tileserver-gl-compatpkg:npm/path-to-regexp
< 3.6.2-r1+ 64 more
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.11.6-r2
- (no CPE)range: < 1.9.2-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 7.5.2-r0
- (no CPE)range: < 7.5.2-r0
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 5.1.1-r0
- (no CPE)range: < 5.1.1-r0
- (no CPE)range: < 5.1.1-r0
- (no CPE)range: < 5.1.1-r0
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.6.2-r1
- (no CPE)range: < 3.11.6-r2
- (no CPE)range: < 1.9.2-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 2.3.0-r3
- (no CPE)range: < 7.5.2-r0
- (no CPE)range: < 7.5.2-r0
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 3.8.1-r4
- (no CPE)range: < 5.1.1-r0
- (no CPE)range: < 5.1.1-r0
- (no CPE)range: < 0.1.12
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-rhx6-c78j-4q9wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52798ghsaADVISORY
- blakeembrey.com/posts/2024-09-web-redosghsaWEB
- github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4nvdWEB
- github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9wnvdWEB
- security.netapp.com/advisory/ntap-20250124-0002ghsaWEB
- security.netapp.com/advisory/ntap-20250124-0002/nvd
News mentions
0No linked articles in our index yet.