Skip to content

Resolved "Regular expression denial of service (ReDoS) in path-to-regexp"
Compare
Choose a tag to compare
@Stassi Stassi released this 05 Oct 06:52
· 443 commits to main since this release
v0.0.31
9e9a227

Changelog: v0.0.30...v0.0.31
Pull request: #31
Resolves potential vulnerability: Regular expression denial of service (ReDoS) in path-to-regexp

Resolution to potential vulnerability

The path-to-regexp library was vulnerable to a medium-to-high-severity regular expression denial-of-service (ReDoS) attack when handling multiple parameters in a single segment separated by certain characters. This could result in excessive backtracking, degrading performance and potentially causing a denial-of-service (DoS).

View the full security disclosure at the project's security policy document.

Solution

path-to-regexp@^3.3.0 was set as an npm override, ensuring npm will no longer the install vulnerable versions of path-to-regexp required by serve in this project.

Update required

If any project requires a version of @stassi/leaflet prior to v0.0.31, run npm update immediately to ensure the latest security updates are received.

Assets 2
Loading