path-to-regexp Regular Expression Denial-of-Service Vulnerability via Multiple Wildcards
Vulnerability
A regular expression denial-of-service (ReDoS) vulnerability has been identified in the path-to-regexp library. This issue arises when multiple wildcards are used in conjunction with at least one parameter, creating a regular expression that can be exploited through backtracking. The vulnerability requires the second wildcard to be positioned away from the end of the path. Users can upgrade to version 8.4.0 to address this vulnerability. As a workaround, those using multiple wildcard parameters can verify the regex output with a tool like 'ReCheck' to ensure that a path is not vulnerable.
Impact
Exploitation of this vulnerability leads to a denial-of-service condition, causing excessive backtracking in regular expression processing, which can degrade performance and responsiveness.
Remediation
Users can upgrade to path-to-regexp version 8.4.0 to address this vulnerability. Instructions for upgrading can be found in the project's GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.