Merge pull request #5603 from github/goshop4eva-GHSA-rhx6-c78j-4q9w

Author: advisory-database[bot]

advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json

@@ -1,19 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rhx6-c78j-4q9w",
-  "modified": "2025-01-24T21:41:07Z",
+  "modified": "2025-01-24T21:41:09Z",
   "published": "2024-12-05T22:40:47Z",
   "aliases": [
     "CVE-2024-52798"
   ],
   "summary": "Unpatched `path-to-regexp` ReDoS in 0.1.x",
   "details": "### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/",
-  "severity": [
-    {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
-    }
-  ],
+  "severity": [],
   "affected": [
     {
       "package": {
@@ -65,7 +60,7 @@
     "cwe_ids": [
       "CWE-1333"
     ],
-    "severity": "HIGH",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2024-12-05T22:40:47Z",
     "nvd_published_at": "2024-12-05T23:15:06Z"