path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
Weakness
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Discovery 1 for RHEL 9 | RedHat | discovery/discovery-server-rhel9:1.12.0-1 | * |
| Discovery 1 for RHEL 9 | RedHat | discovery/discovery-ui-rhel9:1.12.0-1 | * |
| HawtIO HawtIO 4.2.0 | RedHat | io.hawt-project | * |
| Red Hat Developer Hub 1.3 on RHEL 9 | RedHat | rhdh-hub-container-1.3-138 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/nmstate-console-plugin-rhel9:v4.17.0-202501301204.p0.gcffdc60.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-networking-console-plugin-rhel9:v4.17.0-202501241234.p0.g2c4e34f.assembly.stream.el9 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-ossmc-rhel8:1.73.17-2 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-rhel8:1.73.18-1 | * |
| RHODF-4.16-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.16.6-1 | * |
| RHODF-4.17-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.17.3-1 | * |
| Red Hat Developer Hub 1.5 | RedHat | rhdh/rhdh-hub-rhel9:sha256:56bfbb2328f42e91d0462e142f3434e5d771737defbc07d8a21dbdf50e468665 | * |
| Red Hat Developer Hub (RHDH) 1.4 | RedHat | rhdh/rhdh-hub-rhel9:sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572 | * |
| Red Hat OpenShift AI 2.16 | RedHat | rhoai/odh-dashboard-rhel8:sha256:13da7e12e135cdb33c89686eca84cffae8ef691fcb4f346622ebd9b47f0a69ee | * |
| Red Hat OpenShift AI 2.16 | RedHat | rhoai/odh-dashboard-rhel8:sha256:13da7e12e135cdb33c89686eca84cffae8ef691fcb4f346622ebd9b47f0a69ee | * |
| Red Hat OpenShift AI 2.17 | RedHat | rhoai/odh-dashboard-rhel8:sha256:e19276083d932dad46be57674cadf2757a4eeb5d1e2cc2b4ae650e0c8d2c1b02 | * |
| Node-express | Ubuntu | plucky | * |
| Node-path-to-regexp | Ubuntu | focal | * |
| Node-path-to-regexp | Ubuntu | oracular | * |
| Node-path-to-regexp | Ubuntu | plucky | * |
Extended Description
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.