Critical ReDoS Vulnerability in path-to-regexp <0.1.13 Exposes Cloud Functions to Unauthenticated Denial-of-Service

A high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the `path-to-regexp` library, version 0.1.12, poses a direct threat to publicly accessible Cloud Functions. The flaw, cataloged as GHSA-37ch-88jc-xwx2 with a CVSS score of 7.5, allows an unauthenticated attacker to send a specially crafted HTTP request to any function endpoint. This triggers catastrophic backtracking in the route matcher, causing the Cloud Function process to hang, spike CPU usage to 100%, and eventually time out, effectively denying service to all API endpoints backed by that function.

The vulnerability resides in the transitive dependency chain `functions → express → [email protected]`. It is specifically exploitable when route patterns contain multiple named parameters. Because Cloud Functions are publicly reachable by design, the attack surface is broad and requires no authentication, making it a straightforward vector for sustained disruption. The issue was identified during a pre-PR audit by Cyber Shadow on April 18, 2026, and is resolved in `path-to-regexp` version 0.1.13 and later.

The immediate risk is a complete functional DoS, where a single malicious request can cripple an API endpoint. While active exploitation is currently unknown and the flaw is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the public nature of the services and the simplicity of the attack make prompt remediation critical. The fix requires updating the dependency by running `npm audit fix` to pull in the patched version, breaking the vulnerable transitive link through Express.