CVE-2024-45296 Overview
CVE-2024-45296 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the popular path-to-regexp npm package, which is widely used by JavaScript applications and frameworks to convert path strings into regular expressions for route matching. The vulnerability allows attackers to craft malicious input that causes catastrophic backtracking in the generated regular expressions, leading to severe performance degradation and denial of service.
Critical Impact
Due to JavaScript's single-threaded nature, successful exploitation blocks the main event loop, causing complete application unresponsiveness and denial of service for all users.
Affected Products
- path-to-regexp versions prior to 0.1.10
- path-to-regexp versions 0.2.x through 7.x.x (prior to 8.0.0)
- Applications and frameworks using vulnerable path-to-regexp versions (Express.js routing, React Router, etc.)
Discovery Timeline
- September 9, 2024 - CVE-2024-45296 published to NVD
- January 24, 2025 - Last updated in NVD database
Technical Details for CVE-2024-45296
Vulnerability Analysis
This vulnerability falls under CWE-1333 (Inefficient Regular Expression Complexity), commonly known as ReDoS (Regular Expression Denial of Service). The path-to-regexp library dynamically generates regular expressions from user-provided route patterns. When certain path patterns contain two parameters within a single segment separated by a non-period character, the library produces a poorly constructed regular expression that exhibits exponential time complexity during matching operations.
The attack exploits the fundamental architecture of Node.js applications. Since JavaScript executes on a single thread and regex matching occurs on the main thread, a computationally expensive regex operation will block the entire event loop. This means that while the regex engine struggles with catastrophic backtracking, no other requests can be processed, effectively taking down the entire application.
Root Cause
The root cause lies in how path-to-regexp constructs regular expressions when processing route patterns with specific structural characteristics. When a route pattern includes two parameters within a single path segment that are separated by a character other than a period (.), the resulting regular expression contains nested quantifiers or alternations that can cause exponential backtracking when matched against crafted input strings.
For example, patterns like /:foo-:bar or /:foo_:bar generate regular expressions with ambiguous matching groups that the regex engine cannot efficiently resolve when presented with carefully constructed input strings containing repeating patterns.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker identifies applications using vulnerable versions of path-to-regexp and sends HTTP requests with malicious path strings designed to trigger the inefficient regex behavior. The attack requires no special privileges and no user interaction, making it highly accessible to potential attackers.
The attacker constructs input strings that maximize backtracking in the vulnerable regular expression. When the application attempts to match the incoming request path against its defined routes, the regex engine enters a state of exponential backtracking, consuming CPU cycles and blocking the event loop until the operation completes or the process crashes.
Detection Methods for CVE-2024-45296
Indicators of Compromise
- Sudden and sustained increases in CPU utilization on Node.js application servers
- Application response times degrading from milliseconds to seconds or minutes
- Event loop lag metrics spiking abnormally without corresponding traffic increases
- Timeout errors across multiple endpoints despite normal infrastructure health
- HTTP requests with unusually long or repetitive path segments in access logs
Detection Strategies
- Monitor application performance metrics for abnormal CPU consumption patterns on Node.js processes
- Implement event loop monitoring using tools like clinic.js or Node.js performance hooks to detect blocking operations
- Deploy application-level timeout mechanisms that terminate long-running regex operations
- Audit package.json and package-lock.json files for vulnerable path-to-regexp versions using npm audit or Snyk
- Configure Web Application Firewalls (WAF) to detect and block requests with suspiciously long or repetitive URL path patterns
Monitoring Recommendations
- Set up alerting on event loop delay metrics exceeding baseline thresholds (e.g., >100ms)
- Implement real-time dependency scanning in CI/CD pipelines to catch vulnerable package versions before deployment
- Monitor for patterns in request logs showing repeated characters or segments that may indicate ReDoS attempts
- Track application availability metrics and correlate with incoming request patterns to identify attack attempts
How to Mitigate CVE-2024-45296
Immediate Actions Required
- Immediately audit all Node.js applications for path-to-regexp dependency usage and version numbers
- Upgrade path-to-regexp to version 0.1.10 for applications using the 0.1.x branch
- Upgrade path-to-regexp to version 8.0.0 or later for all other applications
- Review frameworks that bundle path-to-regexp (Express.js, etc.) and ensure they use patched versions
- Implement request timeout mechanisms as a defense-in-depth measure while patches are deployed
Patch Information
The maintainers have released patches addressing this vulnerability in two separate commits. For users on the legacy 0.1.x branch, version 0.1.10 contains the fix. For all other users, upgrading to version 8.0.0 resolves the issue. The patches modify the regular expression generation logic to avoid producing patterns susceptible to catastrophic backtracking.
Detailed patch information is available in the GitHub Security Advisory GHSA-9wv6-86v2-598j. The specific code changes can be reviewed in the 0.1.x branch fix commit and the main branch fix commit.
Workarounds
- Implement request rate limiting at the reverse proxy or load balancer level to limit the impact of potential attacks
- Configure web server request timeouts to terminate requests that exceed reasonable processing times
- Avoid using route patterns with multiple parameters in a single segment separated by non-period characters (e.g., avoid /:foo-:bar patterns)
- Deploy WAF rules to filter requests with suspicious path patterns containing excessive repetition
- Consider using Node.js worker threads for route matching in high-risk environments to prevent main thread blocking
# Update path-to-regexp to patched version
npm update path-to-regexp
# For legacy 0.1.x users
npm install path-to-regexp@0.1.10
# For all other users (recommended)
npm install path-to-regexp@8.0.0
# Audit dependencies for vulnerable versions
npm audit
# Force resolution in package-lock.json
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
