Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/path-to-regexp@0.2.2
Typenpm
Namespace
Namepath-to-regexp
Version0.2.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.9.0
Latest_non_vulnerable_version8.4.0
Affected_by_vulnerabilities
0
url VCID-r95c-k4nq-jbd1
vulnerability_id VCID-r95c-k4nq-jbd1
summary 
path-to-regexp outputs backtracking regular expressions
### Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.

### Patches

For users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.

These versions add backtrack protection when a custom regex pattern is not provided:

- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)
- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)
- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)
- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.

Version [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.

### Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.

### Details

Using `/:a-:b` will produce the regular expression `/^\/([^\/]+?)-([^\/]+?)\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.

Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.

### References

* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45296.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45296.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45296
reference_id
reference_type
scores
0
value 0.00064
scoring_system epss
scoring_elements 0.19885
published_at 2026-04-21T12:55:00Z
1
value 0.00064
scoring_system epss
scoring_elements 0.19888
published_at 2026-04-18T12:55:00Z
2
value 0.00064
scoring_system epss
scoring_elements 0.19883
published_at 2026-04-16T12:55:00Z
3
value 0.00064
scoring_system epss
scoring_elements 0.19905
published_at 2026-04-13T12:55:00Z
4
value 0.00064
scoring_system epss
scoring_elements 0.19964
published_at 2026-04-12T12:55:00Z
5
value 0.00064
scoring_system epss
scoring_elements 0.20069
published_at 2026-04-02T12:55:00Z
6
value 0.00064
scoring_system epss
scoring_elements 0.20127
published_at 2026-04-04T12:55:00Z
7
value 0.00064
scoring_system epss
scoring_elements 0.19855
published_at 2026-04-07T12:55:00Z
8
value 0.00064
scoring_system epss
scoring_elements 0.19934
published_at 2026-04-08T12:55:00Z
9
value 0.00064
scoring_system epss
scoring_elements 0.20008
published_at 2026-04-11T12:55:00Z
10
value 0.00064
scoring_system epss
scoring_elements 0.19989
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45296
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45296
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45296
3
reference_url https://github.com/pillarjs/path-to-regexp
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pillarjs/path-to-regexp
4
reference_url https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:32:57Z/
url https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f
5
reference_url https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:32:57Z/
url https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
6
reference_url https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485
7
reference_url https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef
8
reference_url https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894
9
reference_url https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0
10
reference_url https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:32:57Z/
url https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45296
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45296
12
reference_url https://security.netapp.com/advisory/ntap-20250124-0001
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250124-0001
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081656
reference_id 1081656
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081656
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2310908
reference_id 2310908
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2310908
15
reference_url https://access.redhat.com/errata/RHSA-2024:10236
reference_id RHSA-2024:10236
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10236
16
reference_url https://access.redhat.com/errata/RHSA-2024:10857
reference_id RHSA-2024:10857
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10857
17
reference_url https://access.redhat.com/errata/RHSA-2024:10865
reference_id RHSA-2024:10865
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10865
18
reference_url https://access.redhat.com/errata/RHSA-2024:10906
reference_id RHSA-2024:10906
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10906
19
reference_url https://access.redhat.com/errata/RHSA-2024:10917
reference_id RHSA-2024:10917
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10917
20
reference_url https://access.redhat.com/errata/RHSA-2024:10962
reference_id RHSA-2024:10962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10962
21
reference_url https://access.redhat.com/errata/RHSA-2024:11293
reference_id RHSA-2024:11293
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11293
22
reference_url https://access.redhat.com/errata/RHSA-2024:11381
reference_id RHSA-2024:11381
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11381
23
reference_url https://access.redhat.com/errata/RHSA-2024:7324
reference_id RHSA-2024:7324
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7324
24
reference_url https://access.redhat.com/errata/RHSA-2024:7599
reference_id RHSA-2024:7599
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7599
25
reference_url https://access.redhat.com/errata/RHSA-2024:7726
reference_id RHSA-2024:7726
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7726
26
reference_url https://access.redhat.com/errata/RHSA-2024:8014
reference_id RHSA-2024:8014
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8014
27
reference_url https://access.redhat.com/errata/RHSA-2024:8581
reference_id RHSA-2024:8581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8581
28
reference_url https://access.redhat.com/errata/RHSA-2024:8676
reference_id RHSA-2024:8676
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8676
29
reference_url https://access.redhat.com/errata/RHSA-2024:9884
reference_id RHSA-2024:9884
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:9884
30
reference_url https://access.redhat.com/errata/RHSA-2024:9885
reference_id RHSA-2024:9885
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:9885
31
reference_url https://access.redhat.com/errata/RHSA-2025:0082
reference_id RHSA-2025:0082
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0082
32
reference_url https://access.redhat.com/errata/RHSA-2025:0164
reference_id RHSA-2025:0164
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0164
33
reference_url https://access.redhat.com/errata/RHSA-2025:0323
reference_id RHSA-2025:0323
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0323
34
reference_url https://access.redhat.com/errata/RHSA-2025:0664
reference_id RHSA-2025:0664
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0664
35
reference_url https://access.redhat.com/errata/RHSA-2025:0875
reference_id RHSA-2025:0875
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0875
36
reference_url https://access.redhat.com/errata/RHSA-2025:3368
reference_id RHSA-2025:3368
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3368
37
reference_url https://access.redhat.com/errata/RHSA-2025:3397
reference_id RHSA-2025:3397
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3397
fixed_packages
0
url pkg:npm/path-to-regexp@1.9.0
purl pkg:npm/path-to-regexp@1.9.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/path-to-regexp@1.9.0
1
url pkg:npm/path-to-regexp@2.0.0
purl pkg:npm/path-to-regexp@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-r95c-k4nq-jbd1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/path-to-regexp@2.0.0
2
url pkg:npm/path-to-regexp@3.3.0
purl pkg:npm/path-to-regexp@3.3.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/path-to-regexp@3.3.0
3
url pkg:npm/path-to-regexp@4.0.0
purl pkg:npm/path-to-regexp@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-r95c-k4nq-jbd1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/path-to-regexp@4.0.0
4
url pkg:npm/path-to-regexp@6.3.0
purl pkg:npm/path-to-regexp@6.3.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/path-to-regexp@6.3.0
5
url pkg:npm/path-to-regexp@7.0.0
purl pkg:npm/path-to-regexp@7.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-r95c-k4nq-jbd1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/path-to-regexp@7.0.0
6
url pkg:npm/path-to-regexp@8.0.0
purl pkg:npm/path-to-regexp@8.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vjw-mm86-k7gn
1
vulnerability VCID-366w-k4rs-v7d3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/path-to-regexp@8.0.0
aliases CVE-2024-45296, GHSA-9wv6-86v2-598j
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r95c-k4nq-jbd1
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/path-to-regexp@0.2.2