### ImpactThe regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally reported in CVE-2024-45296### PatchesUpgrade to 0.1.12.### WorkaroundsAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.### References- https://github.com/advisories/GHSA-9wv6-86v2-598j- https://blakeembrey.com/posts/2024-09-web-redos/