Inefficient Regular Expression Complexity Affecting kubeflow-pipelines package, versions <2.3.0-r3


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Inefficient Regular Expression Complexity vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CHAINGUARDLATEST-KUBEFLOWPIPELINES-8496590
  • published11 Dec 2024
  • disclosed5 Dec 2024

Introduced: 5 Dec 2024

NewCVE-2024-52798  (opens in a new tab)
CWE-1333  (opens in a new tab)

How to fix?

Upgrade Chainguard kubeflow-pipelines to version 2.3.0-r3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kubeflow-pipelines package and not the kubeflow-pipelines package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

CVSS Scores

version 3.1