GoogleOSV:GHSA-RRR8-F88R-H8Q6find-my-way has a ReDoS vulnerability in multiparametric routes
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
16.4%
Impact
A bad regular expression is generated any time you have two parameters within a single segment, when adding a - at the end, like /:a-:b-.
Patches
Update to find-my-way v8.2.2 or v9.0.1. or subsequent versions.
Workarounds
No known workarounds.
References
References
blakeembrey.com/posts/2024-09-web-redos
github.com/advisories/GHSA-9wv6-86v2-598j
github.com/delvedor/find-my-way
github.com/delvedor/find-my-way/commit/17fae694dcefc056045da201681c1530f0f80518
github.com/delvedor/find-my-way/commit/5e9e0eb5d8d438e06a185d5e536a896572dd0440
github.com/delvedor/find-my-way/security/advisories/GHSA-rrr8-f88r-h8q6
nvd.nist.gov/vuln/detail/CVE-2024-45813
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
16.4%