Add backtrack protection to 1.x release #320
Conversation
|
Thank you for the fix, can you get the affected versions updated on: GHSA-9wv6-86v2-598j please? As 1.9 is detected as broken when it is between 0.2.0 and 8.0.0 |
|
@blakeembrey is it save to update from 0.2.5 -> 1.9.0 or are there any breaking changes, as 0.2.5 is still being used by @nestjs/serve-static |
|
You use update to 1.9.0, there were no breaking changes in 1.0.0: https://github.com/pillarjs/path-to-regexp/blob/7aff887e73ee8bca5cc98ee6239616da07eb8523/History.md#100--2014-08-17 |
|
Hi, @blakeembrey! This version is still seen as a vulnerable version by JFrog Xray (CVE-2024-45296). The next version that is not vulnerable is 8.0.0, but this update includes breaking changes that could not be solved for packages like react-router v5. Is it possible to completely remove the vulnerability for version 1.x.x and other major versions below 8.x.x? Thanks! |
I'm confident this shouldn't break 99.9% of usages, but may impact some edge cases of users of the library. Fixes ReDoS vector on matching. Closes #318. Does not fix ReDoS if user provides a vulnerable regex themselves, so I'll update the advisory to make it clear that it's possible to create a ReDoS if you override parameters with a custom capture and that isn't covered by the fix.