Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xdzZoLXZnaDktajZ3eM4AA_cW
express vulnerable to XSS via response.redirect()
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code
Patches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xdzZoLXZnaDktajZ3eM4AA_cW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago
CVSS Score: 5.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Identifiers: GHSA-qw6h-vgh9-j6wx, CVE-2024-43796
References:
- https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
- https://nvd.nist.gov/vuln/detail/CVE-2024-43796
- https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553
- https://github.com/advisories/GHSA-qw6h-vgh9-j6wx
Blast Radius: 31.3
Affected Packages
npm:express
Dependent packages: 93,237Dependent repositories: 1,853,938
Downloads: 147,394,438 last month
Affected Version Ranges: >= 5.0.0-alpha.1, < 5.0.0, < 4.20.0
Fixed in: 5.0.0, 4.20.0
All affected versions: 0.14.0, 0.14.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.7.0, 3.8.0, 3.8.1, 3.9.0, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.11.0, 3.12.0, 3.12.1, 3.13.0, 3.14.0, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.16.5, 3.16.6, 3.16.7, 3.16.8, 3.16.9, 3.16.10, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.17.7, 3.17.8, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.18.4, 3.18.5, 3.18.6, 3.19.0, 3.19.1, 3.19.2, 3.20.0, 3.20.1, 3.20.2, 3.20.3, 3.21.0, 3.21.1, 3.21.2, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.8.8, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.10.8, 4.11.0, 4.11.1, 4.11.2, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.13.4, 4.14.0, 4.14.1, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.15.4, 4.15.5, 4.16.0, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.17.0, 4.17.1, 4.17.2, 4.17.3, 4.18.0, 4.18.1, 4.18.2, 4.18.3, 4.19.0, 4.19.1, 4.19.2, 5.0.0-alpha.1, 5.0.0-alpha.2, 5.0.0-alpha.3, 5.0.0-alpha.4, 5.0.0-alpha.5, 5.0.0-alpha.6, 5.0.0-alpha.7, 5.0.0-alpha.8, 5.0.0-beta.1, 5.0.0-beta.2, 5.0.0-beta.3
All unaffected versions: 4.20.0, 4.21.0, 4.21.1, 5.0.0, 5.0.1