Headline
GHSA-qw6h-vgh9-j6wx: express vulnerable to XSS via response.redirect()
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code
Patches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-43796
express vulnerable to XSS via response.redirect()
Moderate severity GitHub Reviewed Published Sep 10, 2024 in expressjs/express • Updated Sep 10, 2024
Package
npm express (npm)
Affected versions
< 4.20.0
>= 5.0.0-alpha.1, < 5.0.0
Patched versions
4.20.0
5.0.0
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code
Patches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
References
- GHSA-qw6h-vgh9-j6wx
- https://nvd.nist.gov/vuln/detail/CVE-2024-43796
- expressjs/express@54271f6
Published to the GitHub Advisory Database
Sep 10, 2024
Last updated
Sep 10, 2024