CVE-2024-45813Regex Denial of Service in Find-my-way

CWE-1333Regex Denial of Service4 documents4 sources
Severity
5.3MEDIUMNVD
GHSA7.5OSV7.5
EPSS
0.1%
top 77.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Delvedor Find-my-wayFind-my-way Project Find-my-way
Timeline
PublishedSep 18

Description

find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5delvedor/find-my-way< 8.2.2+1
npmfind-my-way_project/find-my-way5.5.08.2.2+1

🔴Vulnerability Details

2
OSV
find-my-way has a ReDoS vulnerability in multiparametric routes2024-09-18
GHSA
find-my-way has a ReDoS vulnerability in multiparametric routes2024-09-18

📋Vendor Advisories

1
Red Hat
find-my-way: ReDoS vulnerability in multiparametric routes2024-09-18