path-to-regexp Denial-of-Service Vulnerability via Regular Expression Repetition

A denial-of-service vulnerability has been identified in the 'path-to-regexp' project, specifically in version 8.4.0. The issue arises from the generation of inefficient regular expressions when multiple sequential optional groups are used in route patterns. This flaw causes the regex processing to become exponentially more complex with the addition of each group, leading to significant performance degradation. The vulnerability can be exploited by crafting route patterns that include several sequential optional groups, particularly those that are user-controlled.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by overwhelming the application with resource-intensive regular expression processing, leading to increased latency or potential application crashes.

Remediation

Users can upgrade to 'path-to-regexp' version 8.4.0 or later to address this vulnerability. Additionally, it is recommended to limit the use of sequential optional groups in route patterns and to avoid using user-controlled input as route patterns.