Vulnerability DatabaseCVE-2024-45813
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-45813
September 18, 2024
find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a "-" at the end, like "/:a-:b-". This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (8)
https://github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6
https://github.com/advisories/GHSA-9wv6-86v2-598j
https://nvd.nist.gov/vuln/detail/CVE-2024-45813
https://blakeembrey.com/posts/2024-09-web-redos
https://github.com/delvedor/find-my-way/commit/66fa03923355b8da1db4ba572d66a4fee4a57cf5
https://github.com/delvedor/find-my-way
https://github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440
https://github.com/delvedor/find-my-way/commit/17fae694dcefc056045da201681c1530f0f80518
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Inefficient Regular Expression Complexity
CWE-1333
EPSS
Base Score:
0.08