What is the severity of CVE-2024-45296?

CVE-2024-45296 is categorized as a denial of service vulnerability.

How do I fix CVE-2024-45296?

To mitigate CVE-2024-45296, upgrade the 'path-to-regexp' package to version 6.3.0 or higher, or to version 3.3.0 if using a lower version.

Which versions of 'path-to-regexp' are affected by CVE-2024-45296?

CVE-2024-45296 affects 'path-to-regexp' versions from 4.0.0 up to 6.3.0, as well as other variations like 7.x.x that are between 6.3.0 and 8.0.0.

What can an attacker do with CVE-2024-45296?

An attacker can exploit CVE-2024-45296 to cause a denial of service condition through specially crafted regex requests.

Is my software affected by CVE-2024-45296?

You may be affected by CVE-2024-45296 if you are using specific versions of 'path-to-regexp' or IBM QRadar WinCollect Agent that fall within the affected ranges.

Vulnerability/
CVE-2024-45296

high

7.5

CWE

1333

9/9/2024

5/2/2025

CVE-2024-45296: path-to-regexp outputs backtracking regular expressions

First published: Mon Sep 09 2024(Updated: )

pillarjs Path-to-RegExp is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially crafted regex request, a remote attacker could exploit this vulnerability to cause a denial of service condition.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
npm/path-to-regexp	>=4.0.0<6.3.0	6.3.0
npm/path-to-regexp	>=7.0.0<8.0.0	8.0.0
npm/path-to-regexp	>=2.0.0<3.3.0	3.3.0
npm/path-to-regexp	>=0.2.0<1.9.0	1.9.0
npm/path-to-regexp	<0.1.10	0.1.10
IBM QRadar WinCollect Agent	<=10.0-10.1.12

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7182403

Frequently Asked Questions

What is the severity of CVE-2024-45296?
CVE-2024-45296 is categorized as a denial of service vulnerability.
How do I fix CVE-2024-45296?
To mitigate CVE-2024-45296, upgrade the 'path-to-regexp' package to version 6.3.0 or higher, or to version 3.3.0 if using a lower version.
Which versions of 'path-to-regexp' are affected by CVE-2024-45296?
CVE-2024-45296 affects 'path-to-regexp' versions from 4.0.0 up to 6.3.0, as well as other variations like 7.x.x that are between 6.3.0 and 8.0.0.
What can an attacker do with CVE-2024-45296?
An attacker can exploit CVE-2024-45296 to cause a denial of service condition through specially crafted regex requests.
Is my software affected by CVE-2024-45296?
You may be affected by CVE-2024-45296 if you are using specific versions of 'path-to-regexp' or IBM QRadar WinCollect Agent that fall within the affected ranges.

agent/weakness
agent/title
agent/type
agent/first-publish-date
agent/author
agent/severity
agent/description
agent/trending
agent/softwarecombine
agent/source
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
collector/nvd-cve
collector/github-advisory-latest
source/GitHub
alias/GHSA-9wv6-86v2-598j
alias/CVE-2024-45296
agent/software-canonical-lookup
collector/github-advisory
collector/ibm-support
source/IBM
agent/references
agent/last-modified-date
agent/tags
agent/event
collector/redhat-bugzilla
source/Red Hat
package-manager/npm