From 7394fce72b3173f51acb6585284202a41d16d7cd Mon Sep 17 00:00:00 2001 From: Simon Date: Wed, 21 May 2025 11:31:53 -0700 Subject: [PATCH] Improve GHSA-rhx6-c78j-4q9w --- .../12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json b/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json index 43e51a3fec930..29c58af665688 100644 --- a/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json +++ b/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json @@ -1,19 +1,14 @@ { "schema_version": "1.4.0", "id": "GHSA-rhx6-c78j-4q9w", - "modified": "2025-01-24T21:41:07Z", + "modified": "2025-01-24T21:41:09Z", "published": "2024-12-05T22:40:47Z", "aliases": [ "CVE-2024-52798" ], "summary": "Unpatched `path-to-regexp` ReDoS in 0.1.x", "details": "### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/", - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" - } - ], + "severity": [], "affected": [ { "package": { @@ -65,7 +60,7 @@ "cwe_ids": [ "CWE-1333" ], - "severity": "HIGH", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-12-05T22:40:47Z", "nvd_published_at": "2024-12-05T23:15:06Z"