CVE-2024-52798: High-Severity ReDoS Flaw Discovered in path-to-regexp Dependency Used by Express.js

A high-severity vulnerability has been identified in path-to-regexp version 0.1.7, a widely-used Node.js library that converts Express-style path strings into regular expressions. The flaw, tracked as CVE-2024-52798, stems from a regular expression output that becomes vulnerable to catastrophic backtracking under specific input conditions, potentially enabling denial-of-service attacks against applications that rely on the library for URL routing.

The vulnerable library sits deep within the dependency chain of Express 4.13.4, one of the most deployed web application frameworks in the Node.js ecosystem. Path-to-regexp serves as a core utility for matching route parameters in frameworks like Express and Next.js, meaning any application depending on these frameworks could indirectly expose itself to the vulnerability. Security researchers note that the issue manifests when specially crafted URL paths trigger exponential regex evaluation times, causing server resource exhaustion.

The GitHub Security Advisory (GHSA-rhx6-c78j-4q9w) classifies the vulnerability as exploitable via malicious input, with the potential to disrupt application availability. Organizations running affected versions of Express or derivative frameworks should audit their dependency trees for path-to-regexp-0.1.7 and apply available patches or mitigations. Given the library's foundational role in Node.js web infrastructure, widespread exposure is anticipated across production environments.