Vulnerability
Severity: HIGH
Package: path-to-regexp@8.3.0
Advisory: GHSA-j3q9-mxjg-w52f — CVSS 7.5
Affected component: core
Dependency type: transitive (via two independent chains including a direct runtime dependency)
Dependency chains:
pmxt-core → express@5.2.1 (direct dep) → router@2.2.0 → path-to-regexp@8.3.0 ← RUNTIME
pmxt-core → @openapitools/openapi-generator-cli (devDep) → @nestjs/core@11.1.11 → path-to-regexp@8.3.0
Description
path-to-regexp 8.0.0–8.3.0 is vulnerable to Denial of Service via route patterns with sequential optional groups (e.g., /:a?/:b?/:c?). Crafted URL inputs trigger catastrophic backtracking in the underlying regular expression, causing CPU exhaustion. The package is used by express to compile route definitions.
Fix
Recommended version: path-to-regexp ≥8.4.0
Fix command:
npm update path-to-regexp
Or upgrade express to a version that depends on router ≥2.x with path-to-regexp ≥8.4.0 pinned.
Risk Assessment
The express chain is a runtime risk. pmxt-core runs an Express HTTP server (pmxt-server binary). If any registered route uses sequential optional parameters, a single crafted HTTP request can trigger the ReDoS and hang the server process. The impact is proportional to how many optional path segments are used in route definitions. This should be treated as a server-side DoS risk and patched promptly.
Found by automated dependency vulnerability scan
Vulnerability
Severity: HIGH
Package: path-to-regexp@8.3.0
Advisory: GHSA-j3q9-mxjg-w52f — CVSS 7.5
Affected component: core
Dependency type: transitive (via two independent chains including a direct runtime dependency)
Dependency chains:
Description
path-to-regexp8.0.0–8.3.0 is vulnerable to Denial of Service via route patterns with sequential optional groups (e.g.,/:a?/:b?/:c?). Crafted URL inputs trigger catastrophic backtracking in the underlying regular expression, causing CPU exhaustion. The package is used byexpressto compile route definitions.Fix
Recommended version: path-to-regexp ≥8.4.0
Fix command:
Or upgrade
expressto a version that depends onrouter≥2.x with path-to-regexp ≥8.4.0 pinned.Risk Assessment
The express chain is a runtime risk.
pmxt-coreruns an Express HTTP server (pmxt-serverbinary). If any registered route uses sequential optional parameters, a single crafted HTTP request can trigger the ReDoS and hang the server process. The impact is proportional to how many optional path segments are used in route definitions. This should be treated as a server-side DoS risk and patched promptly.Found by automated dependency vulnerability scan