express icon indicating copy to clipboard operation
express copied to clipboard
verified publisher icon expressjs

(Low) Aikido Vulnerability > path-to-regex

Open tom-vism opened this issue 1 year ago • 3 comments

Aikido reports vulnerability to us because of your path-to-regex dependency version. https://security.aikido.dev/cve/AIKIDO-2024-10181 Update your (peer)dependencies to use path-to-regex 7.1.0

TL;DR

The patched version adds a strict option to detect potential ReDOS issues. The worst case impact for these vulnerabilities can be "Attacker can trigger DOS-attack via regex".

Aikido recommends

Upgrade path-to-regexp library to patch version (7.1.0) and use the 'strict: true' option.

tom-vism avatar Jul 24 '24 10:07 tom-vism

I guess folks are using the legacy version in express for a reason. I can look for this ReDOS issue at 0.1.x.

cc: @blakeembrey

IamLizu avatar Aug 03 '24 02:08 IamLizu

@IamLizu there is no need to do anything here, thank you.

ctcpip avatar Aug 05 '24 17:08 ctcpip

Note that path-to-regexp is maintained by the express team. We will update this issue when we have more information about any impact to express.

ctcpip avatar Aug 05 '24 17:08 ctcpip

This has been resolved with the 4.20.0 release.

blakeembrey avatar Sep 10 '24 16:09 blakeembrey