Note on CVE-2024-45296 #1275
panva
announced in
Announcements
Note on CVE-2024-45296
#1275
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The following concerns
CVE-2024-45296/https://github.com/advisories/GHSA-9wv6-86v2-598j.See also: https://blakeembrey.com/posts/2024-09-web-redos/
Important
This reported vulnerability in a transitive runtime dependency of
oidc-provider(through@koa/router) does not affect users ofoidc-provider. The problematic parameter patterns are not used byoidc-provider.Until either the used major version of
path-to-regexpis patched, or@koa/routerupdates its requiredpath-to-regexpversion, you're free to ignore the package manager's / security platform's alerts that you may be getting.Update:
[email protected]was released with a backport of the fix. Just runnpm updateto get the latest version with the CVE fix backport. You may still get an alert and that's because the advisory itself has not yet been updated with the newly fixed version.Update 2: The advisory was updated. If you still see issues after
npm updateplease reach out to your package manager's / security platform of choice.Beta Was this translation helpful? Give feedback.
All reactions