## CVE-2024-45296: High-Severity Regex Denial-of-Service Flaw Found in path-to-regexp Library Used by Express.js A high-severity vulnerability, tracked as CVE-2024-45296, has been identified in path-to-regexp version 0.1.7, a widely deployed npm library that converts Express-style path strings into regular expressions. The flaw enables attackers to trigger specially crafted path patterns that produce inefficient regex output, leading to severe performance degradation. Because JavaScript operates on a single-threaded event loop, regex matching that consumes excessive CPU cycles can effectively block the application, creating a denial-of-service condition. The vulnerable library sits deep within the dependency chain of Express.js, one of the most popular Node.js web frameworks. Path-to-regexp 0.1.7 appears as a transitive dependency of express 4.13.4, meaning any application relying on Express inherits the vulnerability without directly including the flawed package in its manifest. This dependency structure significantly expands the potential attack surface, as developers may be unaware they are using the affected library. The core issue stems from how path-to-regexp handles certain input patterns during regex compilation. Malformed or specifically crafted path inputs can cause the library to generate regex patterns with exponential backtracking characteristics. When the router attempts to match incoming requests against these patterns, the regex engine enters pathological matching scenarios that consume disproportionate computational resources. An unauthenticated remote attacker could exploit this by sending carefully constructed HTTP requests to trigger the vulnerable code path, rendering affected services unresponsive. Security researchers recommend upgrading to a patched version of path-to-regexp and auditing dependency trees for vulnerable express installations as immediate mitigation steps. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2024-45296, path-to-regexp, express, npm, regex - **Credibility**: unverified - **Published**: 2026-04-30 01:54:10 - **ID**: 78421 - **URL**: https://whisperx.ai/en/intel/78421