Note on CVE-2024-45296 #1275
panva
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The following concerns
CVE-2024-45296
/https://github.com/advisories/GHSA-9wv6-86v2-598j
.See also: https://blakeembrey.com/posts/2024-09-web-redos/
Important
This reported vulnerability in a transitive runtime dependency of
oidc-provider
(through@koa/router
) does not affect users ofoidc-provider
. The problematic parameter patterns are not used byoidc-provider
.Until either the used major version of
path-to-regexp
is patched, or@koa/router
updates its requiredpath-to-regexp
version, you're free to ignore the package manager's / security platform's alerts that you may be getting.Update:
path-to-regexp@v6.3.0
was released with a backport of the fix. Just runnpm update
to get the latest version with the CVE fix backport. You may still get an alert and that's because the advisory itself has not yet been updated with the newly fixed version.Update 2: The advisory was updated. If you still see issues after
npm update
please reach out to your package manager's / security platform of choice.Beta Was this translation helpful? Give feedback.
All reactions