|
|
Log in / Subscribe / Register

Ubuntu alert USN-8290-1 (node-path-to-regexp)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8290-1] Path-to-Regexp vulnerability


Date:
              Fri, 22 May 2026 15:29:17 +0000


Message-ID:
              <E1wQRoL-0006cs-Uk@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8290-1
May 21, 2026

node-path-to-regexp vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Path-to-Regexp could be made to crash if it received specially crafted
network traffic.

Software Description:
- node-path-to-regexp: Turn a path string such as /user/:name into a regular expression.

Details:

It was discovered that Path-to-Regexp incorrectly handled route patterns
containing multiple named parameters separated by non-delimiter characters
such as hyphens. An attacker could possibly use this issue to cause a denial
of service via catastrophic backtracking in the generated regular expressions.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  node-path-to-regexp             6.2.1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  node-path-to-regexp             6.2.0-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  node-path-to-regexp             6.1.0-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  node-path-to-regexp             1.0.1-1ubuntu0.18.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  node-path-to-regexp             1.0.1-1ubuntu0.16.04.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8290-1
  CVE-2024-45296




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoQdb4ACgkQcpJm3tlz
hgE76g/+LMh7zj4PId0cH3Bg5tTEjSmcGy19rZVIijANPCmWor0Epp7bY0PUXZ09
aTIFb5BpZ3nIJnE8ZbHzyZThuDvm1Y5k9IEyRwyZvvJTGCAPE5iwfghtnboVVLTi
OjJPRWxSZAAPhAFAyRPK6J20BTN9pZlf1dQ9wgS0EQRWc86Xko2GcGO6mXowIyJK
48J/GX4GzUCgeTgn9JuLeZirnyPy65bGaJIW/pv2Qne20iJCwMuNULefdEC5Hegt
rxeXUGmpJs41MCV7mEqBOFAD6CoYghJQZhg9oMsKZBVK0Eg1qK5aWytg2rctjpst
VJfAVi0q/G08qeWQNds/Wv3/1e6UkwulZzkZUeBb/h80Ien9sVREEN90ZZhGuBHx
V0pC+x1RQm9PwRnpptpjit0QDrPFOqvKSkH1Q4DJl/GZ63F6clQTvetRuC0UxKy9
CeiEnd0aDC9ZjuCBDsyFTJpWJJqWbsYM8v9dIfGNYoUw+vj8/GBKYNP604Wzdaz0
O31Rvo5PYxVadGjFWbq4SRr6jUFm/+gQSKSL7zHpcw7c3Qcto05oaWtfEc+3g6Sr
SZ/MKrc4Qa3CBGY5hj57A/iuCspXPyj45u+E0aqOXA+F+l4xh6sKtW3YYcOLofHm
KJvO5D+InTCTWEa6O2cB/iuoFkO31ln+jc6gCjn6a6HOFTFoeNM=
=gez6
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds