CVE-2024-52798 - How A Path-to-Regexp Bug Can Hurt Your App’s Performance (And How To Fix It)

CVE-2024-52798 is a newly disclosed vulnerability affecting versions of the popular JavaScript library path-to-regexp—commonly used in Express.js and other Node.js web frameworks. If you rely on this library, or use a framework built on top of it, you need to know how a simple path-matching string could allow attackers to drag down your server’s performance.

This article breaks down what CVE-2024-52798 means, shows you how it works, and explains how to patch your project. Don’t worry—no complicated jargon here.

What is path-to-regexp?

path-to-regexp is a tiny JavaScript library. Its main job: turn path patterns like /user/:id into regular expressions your server code can use to match routes.

Example

const { pathToRegexp } = require('path-to-regexp')
const re = pathToRegexp('/user/:id')
console.log(re) // Outputs: /^\/user\/([^\/]+?)\/?$/

It’s used in Express.js, koa-router, react-router, and many other projects.

The Core Issue

In all versions of path-to-regexp .1.x (except the very latest), there’s a bug where certain path patterns are compiled into “evil” regular expressions. These expressions can be abused by specially crafted input, causing your Node.js server to freeze or slow down—what's known as a Regular Expression Denial of Service (ReDoS) attack.

Critically, this issue is an incomplete fix for CVE-2024-45296. In other words, patching the original bug didn’t fix everything.

How is it exploitable?

Attackers can send certain paths to your app that trigger massive backtracking in the regex engine—burning through CPU and causing very slow response times.

Pattern string

'/user/(.*)+'

This pattern gets compiled to

/^\/user\/(.*)+$/

With certain input strings, the regex will cause catastrophic backtracking in the engine.

This test shows how a crafted path can freeze your Node process

const { pathToRegexp } = require('path-to-regexp@.1.11')

// This is the vulnerable pattern
const re = pathToRegexp('/user/(.*)+')

// A malicious input (long chain of 'a's followed by '!')
const attackString = '/user/' + 'a'.repeat(30) + '!'

console.time('match')
re.test(attackString)
console.timeEnd('match')
// If the regex engine spends a long time here, your server “freezes”

Attackers could repeat thousands of these slow requests, making your API nearly unusable.

References

- Original Advisory on GitHub
- NVD Entry: CVE-2024-52798
- Previous Related Vulnerability: CVE-2024-45296

Just run

npm install path-to-regexp@.1.12

Or, in your package.json

"dependencies": {
  "path-to-regexp": "^.1.12"
}

Save and run npm install again.

If you use Express or another framework that internally uses path-to-regexp, make sure your package-lock or yarn.lock actually resolves to at least .1.12. Use npm ls path-to-regexp to check!

Can I Patch It Without Upgrading?

There’s no good workaround if you must support the old API, because the vulnerability is deep in how patterns are transformed into regexes. Filtering user input can’t reliably protect against all attack vectors.

Best practice: Upgrade all libraries that depend on path-to-regexp to the safe version.

Final Thoughts

CVE-2024-52798 is a classic example of how small mistakes with regular expressions can lead to big security headaches. If your team builds web APIs with Node, act fast—scan your dependency tree and upgrade path-to-regexp to .1.12 or higher.

Timeline

Published on: 12/05/2024 23:15:06 UTC
Last modified on: 01/24/2025 20:15:33 UTC