[GHSA-rrr8-f88r-h8q6] find-my-way has a ReDoS vulnerability in multiparametric routes

[sealonohana]

Updates

• Affected products
• CVSS v3

Comments
follow-my-way v4.1.0 is NOT exploitable by CVE-2024-45813. The following test does NOT fail on Node 12 NPM 6 follow-my-way v4.1.0:```javascript
test('prevent back-tracking', (t) => {
t.plan(0)
t.setTimeout(20)
const findMyWay = FindMyWay({
defaultRoute: () => {
t.fail('route not matched')
}
})
findMyWay.on('GET', '/:foo-:bar-', (req, res, params) => {})
findMyWay.find('GET', '/' + '-'.repeat(200000000) + 'a', { host: 'fastify.io' })
})

The reason is that CVE-2024-45813 exploits mechanism that does not exist in v4.1.0. CVE-2024-45813 exploits a mechanism to check the validity of a given regex, and could cause a ReDoS. At some point after 4.1.0, the maintainer transformed the function `router.prototype._on` to use loops instead of recursion. This mechanism does NOT exist in version 4.1.0.

[github]

Hi there @delvedor! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[darakian]

Hey @sealonohana, thanks for the PR. We got out ranges from the maintainer's repo advisory
GHSA-rrr8-f88r-h8q6

Would you mind reaching out to them to determine a lower bound for the advisory?