[GHSA-rhx6-c78j-4q9w] Unpatched path-to-regexp ReDoS in 0.1.x

[goshop4eva]

Updates

• CVSS v4
• Severity

Comments
Hi, please change this alert to Moderate. The same alert is moderate on the path-to-regexp repo. Thanks

GHSA-rhx6-c78j-4q9w

[github]

Hi there @blakeembrey! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[helixplant]

Hi @goshop4eva,
GHSA-rhx6-c78j-4q9w and its preceding GHSA GHSA-9wv6-86v2-598j have severity set to moderate based on a CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, which technically isn't correct for a denial of service vulnerability. Denial of service attacks, including ReDoS attacks, usually have high availability impact.
The specification docs for CVSS 3.1 provide definitions for high and low availability impact:
High (H) - There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed).
Low (L) Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users.
Do you think the description of the vulnerability GHSA-rhx6-c78j-4q9w accurately describes a total loss of availability as described in the specification docs?