SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-52798

CVE-2024-52798: path-to-regexp DoS Vulnerability

CVE-2024-52798 is a denial of service vulnerability in path-to-regexp that exploits regex backtracking to cause poor performance. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2024-52798 Overview

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

Critical Impact

This vulnerability may allow attackers to exploit regular expressions to cause performance degradation in affected applications.

Affected Products

  • Not Available
  • Not Available
  • Not Available

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Not Available
  • Not Available - CVE CVE-2024-52798 assigned
  • Not Available - Not Available releases security patch
  • 2024-12-05 - CVE CVE-2024-52798 published to NVD
  • 2025-01-24 - Last updated in NVD database

Technical Details for CVE-2024-52798

Vulnerability Analysis

The vulnerability resides in the path-to-regexp library, where it converts URL path strings into regular expressions. It affects outdated versions due to improper handling of backtracking in regular expressions.

Root Cause

The root cause is an incomplete fix for a prior vulnerability, CVE-2024-45296, leading to regular expressions being susceptible to backtracking issues.

Attack Vector

The attack vector is through network-based inputs where crafted path strings are processed by vulnerable versions of the library.

javascript
// Example exploitation code (sanitized)
var pathToRegexp = require('path-to-regexp');

var path = '/user/:id';
var regex = pathToRegexp(path);
console.log(regex);

// Malicious input causing backtracking
testMatch(regex, '/user/1234567890123456789012345678901234567890');

function testMatch(regex, input) {
    if (regex.test(input)) {
        console.log('Input matches the pattern.');
    } else {
        console.log('Input does not match the pattern.');
    }
}

Detection Methods for CVE-2024-52798

Indicators of Compromise

  • Unusual CPU load on application servers
  • Excessive response times
  • Logs showing large numbers of regular expression evaluations

Detection Strategies

Use application performance monitoring tools to detect spikes in CPU and memory usage, especially during regex evaluations. Analyze logs for patterns that can cause backtracking.

Monitoring Recommendations

Implement regular expression performance profiling in development and production environments. Set alerts for performance degradation linked to regex processing.

How to Mitigate CVE-2024-52798

Immediate Actions Required

  • Upgrade path-to-regexp to version 0.1.12 or later
  • Review application code for direct usage of regex-based routing
  • Implement input validation to sanitize user inputs

Patch Information

Update to the latest stable version of path-to-regexp from the official repository or package manager.

Workarounds

If immediate patching is not possible, consider implementing custom route validation to minimize exposure to backtracking issues.

bash
# Configuration example for package update
npm update path-to-regexp

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne