path-to-regexp npm audit high vulnerable

[danielehrhardt]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

In express, @nestjs/core, @nestjs/platform-express there is a package used "path-to-regexp" what causes a npm high security vulnerable. For Version 0.1.7 there is a path 0.1.10 but for 3.2.0 there is no patch currently available.
This should be updated.

Minimum reproduction code

pillarjs/path-to-regexp@29b96b4

Steps to reproduce

npm install
npm audit

Expected behavior

no high security vulnerable

Package

• I don't know. Or some 3rd-party package
• @nestjs/common
• @nestjs/core
• @nestjs/microservices
• @nestjs/platform-express
• @nestjs/platform-fastify
• @nestjs/platform-socket.io
• @nestjs/platform-ws
• @nestjs/testing
• @nestjs/websockets
• Other (see below)

Other package

No response

NestJS version

10.3.10

Packages versions

latest

Node.js version

20

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

No response

[danielehrhardt]

GHSA-9wv6-86v2-598j

[autorejecttop]

@nestjs/platform-fastify is also affected by this

[autorejecttop]

I tried reproducing this by:

1. nest new project-name
2. npm install @nestjs/microservices @nestjs/platform-fastify @nestjs/platform-socket.io @nestjs/platform-ws @nestjs/testing @nestjs/websockets
3. npm audit

it looks like affected packages are:

1. @nestjs/core
2. @nestjs/microservices
3. @nestjs/platform-express
4. @nestjs/platform-fastify
5. @nestjs/platform-socket.io
6. @nestjs/platform-ws
7. @nestjs/testing
8. @nestjs/websockets

got this output:

# npm audit report

path-to-regexp  <=0.1.9 || 0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @nestjs/platform-express@7.0.0, which is a breaking change
node_modules/@fastify/middie/node_modules/path-to-regexp
node_modules/express/node_modules/path-to-regexp
node_modules/path-to-regexp
  @fastify/middie  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/@fastify/middie
    @nestjs/platform-fastify  *
    Depends on vulnerable versions of @fastify/middie
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of path-to-regexp
    node_modules/@nestjs/platform-fastify
  @nestjs/core  <=2.0.2 || 5.2.0-next - 5.7.4 || >=6.11.0-next.1
  Depends on vulnerable versions of @nestjs/microservices
  Depends on vulnerable versions of @nestjs/platform-express
  Depends on vulnerable versions of @nestjs/websockets
  Depends on vulnerable versions of path-to-regexp
  node_modules/@nestjs/core
    @nestjs/microservices  >=7.0.1
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of @nestjs/websockets
    node_modules/@nestjs/microservices
    @nestjs/platform-express  *
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of express
    node_modules/@nestjs/platform-express
      @nestjs/testing  >=7.0.1
      Depends on vulnerable versions of @nestjs/core
      Depends on vulnerable versions of @nestjs/microservices
      Depends on vulnerable versions of @nestjs/platform-express
      node_modules/@nestjs/testing
    @nestjs/websockets  >=7.0.1
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of @nestjs/platform-socket.io
    node_modules/@nestjs/websockets
      @nestjs/platform-socket.io  >=8.0.0-alpha.1
      Depends on vulnerable versions of @nestjs/websockets
      node_modules/@nestjs/platform-socket.io
      @nestjs/platform-ws  >=8.0.0-alpha.1
      Depends on vulnerable versions of @nestjs/websockets
      node_modules/@nestjs/platform-ws
  express  4.0.0-rc1 - 4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of path-to-regexp
  node_modules/express

11 high severity vulnerabilities

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

[anukritigarg13]

@nestjs/swagger is also affected by this

[paskaran]

When can we expect a fix for this .? Thanks :)

[micalevisk]

Kamil should address this soon if feasible.

And, as long as you don't have a route that uses the specific path pattern that is mentioned in the vulnerability, you don't need to worry. (btw npm audit: Broken by Design)

[paskaran]

The problem is audit pipelines failing :D downgrading to 6.10.14 is not an option for us. Hopefully the fix arrives soon :). Thanks

[danielehrhardt]

#13957

[micalevisk]

I don't think that upgrading path-to-regexp from v3 to v8 is a good short-term solution because we might bring breaking changes (see v6, v7, and others). I guess we need to find a way to let the dev upgrade it on their side instead

[Piet-verdriet]

@micalevisk I agree :) An issue has been opened for path-to-regexp here
Please bump, hopefully one of the devs can look into patching soon.

[micalevisk]

looks like that the path-to-regexp's team won't backport that fix tho: pillarjs/path-to-regexp#318 (comment)

[DanielSchiavini]

They shouldn't need to backport, the release 3.2.0 is almost 5 years old! Nest should've upgraded a long time ago.

[micalevisk]

an workaround for NPM v8+ users:

just add the following to your package.json file and remove the lock file

  "overrides": {
    "path-to-regexp": "^8.1"
  }

so now you'll be using the latest version of path-to-regexp

Yarn and PNPM has similar solutions

[pnewhook]

@micalevisk That unfortunately doesn't work if you're using code that calls pathToRegexp under the hood, like app.useGlobalPrefix(). Looks like pathToRegexp used to be a default export, but that was changed sometime after.

[Nest] 96096  - 09/10/2024, 11:36:43 AM   ERROR [ExceptionHandler] pathToRegexp is not a function
TypeError: pathToRegexp is not a function
    at /Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/middleware/utils.js:22:24
    at Array.map (<anonymous>)
    at mapToExcludeRoute (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/middleware/utils.js:11:19)
    at NestApplication.setGlobalPrefix (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/nest-application.js:236:49)
    at /Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/nest-factory.js:145:40
    at Function.run (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/errors/exceptions-zone.js:10:13)
    at Proxy.<anonymous> (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/nest-factory.js:144:46)
    at Proxy.<anonymous> (/Users/newhop2/dev/aible/hub-api/node_modules/@nestjs/core/nest-factory.js:193:54)
    at bootstrap (/Users/newhop2/dev/aible/hub-api/src/main.ts:12:7)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
Waiting for the debugger to disconnect...

The problem stems from this code:

  app.setGlobalPrefix('v1', {
    exclude: [
      { path: 'health', method: RequestMethod.ALL },
      { path: 'graphql', method: RequestMethod.ALL },
    ],
  });

[naeramarth7]

Looks like pathToRegexp used to be a default export, but that was changed sometime after.

It is now accessible via the exported member pathToRegexp.

However, there's a breaking change in version 8 of path-to-regexp anyways:

• removing support for RegExp as input. Only strings are supported now.
• Those strings have a limited syntax. (, ), [ and ] were removed, see Unexpected (, ), [, ], etc.

This will subsequently break the behaviour of e.g. exluding routes in middlewares thus making this breaking change transparent to users of nest as well.

[micalevisk]

thanks

so for those that really don't use path-to-regexp (ie., no regex paths), you can use this patch for @nestjs/core (and express@4, in my case) for now along with #13955 (comment):

• express+4.19.2.patch
• @nestjs+core+10.4.1.patch

you can use https://www.npmjs.com/package/patch-package to apply that

[danielehrhardt]

pillarjs/path-to-regexp#317 (comment)
3.3.0 published