CVE-2024-45813 Overview
CVE-2024-45813 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting find-my-way, a fast, open source HTTP router that internally uses a Radix Tree (compact Prefix Tree) for route matching. The vulnerability occurs when a malformed regular expression is generated during route registration, specifically when two parameters exist within a single segment with a trailing hyphen, such as /:a-:b-. This pattern triggers inefficient regex evaluation that can be exploited to cause denial of service conditions in affected applications.
Critical Impact
Applications using vulnerable versions of find-my-way may experience denial of service when processing specially crafted HTTP requests that exploit the malformed regex pattern, potentially leading to service unavailability.
Affected Products
- find-my-way versions prior to v8.2.2
- find-my-way versions v9.x prior to v9.0.1
- Web frameworks and applications built on find-my-way router (including Fastify-based applications)
Discovery Timeline
- 2024-09-18 - CVE-2024-45813 published to NVD
- 2024-09-20 - Last updated in NVD database
Technical Details for CVE-2024-45813
Vulnerability Analysis
The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). When route definitions contain two parameters within a single path segment followed by a trailing hyphen (e.g., /:a-:b-), the find-my-way router generates a problematic regular expression pattern. This malformed regex exhibits catastrophic backtracking behavior when processing certain input strings, causing the JavaScript regex engine to consume excessive CPU resources.
The attack can be executed over the network without requiring authentication or user interaction. While the vulnerability does not impact confidentiality or integrity, it directly affects availability by allowing attackers to exhaust server resources through carefully crafted HTTP requests.
Root Cause
The root cause lies in the regex generation logic within the parametric node handling code. When parsing route segments containing multiple parameters separated by hyphens, the router failed to properly account for edge cases where a trailing hyphen exists after the final parameter. This resulted in the generation of an inefficient regex pattern susceptible to exponential time complexity during backtracking operations.
Attack Vector
An attacker can exploit this vulnerability by sending HTTP requests to routes that trigger the vulnerable regex pattern. The attack is network-accessible, requires low complexity to execute, and needs no special privileges or user interaction. The denial of service occurs when the regex engine enters a catastrophic backtracking state while attempting to match the malicious input against the poorly constructed pattern.
The vulnerability manifests during route matching operations. When a route is defined with the problematic pattern /:a-:b-, any subsequent request matching this route structure can trigger the ReDoS condition if crafted input is provided.
if (isParametricNode) {
let isRegexNode = false
+ let isParamSafe = true
+ let backtrack = ''
const regexps = []
let lastParamStartIndex = i + 1
Source: GitHub Commit Update
The patch introduces isParamSafe and backtrack variables to properly handle parameter parsing within route segments, preventing the generation of vulnerable regex patterns.
Detection Methods for CVE-2024-45813
Indicators of Compromise
- Abnormally high CPU utilization on servers running find-my-way-based applications
- HTTP request processing times increasing exponentially for specific route patterns
- Application logs showing timeout errors or unresponsive request handlers
- Thread pool exhaustion in Node.js applications under sustained attack
Detection Strategies
- Monitor for requests with unusual path segment patterns containing multiple hyphens and parameters
- Implement request timeout thresholds to identify potential ReDoS exploitation attempts
- Review application routes for patterns matching /:param1-:param2- syntax
- Use static analysis tools to scan for vulnerable find-my-way versions in package.json or package-lock.json files
Monitoring Recommendations
- Configure application performance monitoring (APM) to alert on regex evaluation time anomalies
- Set up CPU usage thresholds to detect sustained high utilization indicative of DoS attacks
- Monitor request latency percentiles for sudden spikes affecting specific route patterns
- Enable verbose logging for route matching operations during incident investigation
How to Mitigate CVE-2024-45813
Immediate Actions Required
- Upgrade find-my-way to version 8.2.2 or later (for v8.x users)
- Upgrade find-my-way to version 9.0.1 or later (for v9.x users)
- Audit existing route definitions for vulnerable patterns (/:a-:b-)
- Implement request timeouts as a defense-in-depth measure
Patch Information
The vulnerability has been addressed in find-my-way versions v8.2.2 and v9.0.1. The fix introduces proper parameter safety checks and backtracking prevention in the route parsing logic. Users should update their dependencies to these versions or subsequent releases.
For detailed information about the vulnerability and patch, see the GitHub Security Advisory GHSA-rrr8-f88r-h8q6. Additional context on web-based ReDoS vulnerabilities is available in the Blake Embrey Blog Post.
Workarounds
- No known workarounds are available for this vulnerability according to the security advisory
- As a temporary measure, avoid defining routes with the vulnerable pattern /:param1-:param2-
- Implement rate limiting and request timeout controls to reduce DoS impact
- Consider using a web application firewall (WAF) to filter suspicious request patterns
# Update find-my-way to patched version
npm update find-my-way@^8.2.2
# Or for v9.x users
npm update find-my-way@^9.0.1
# Verify installed version
npm list find-my-way
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
