Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-rv95-896h-c2vc: Express.js Open Redirect in malformed URLs

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94

An initial fix went out with [email protected], we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

References

https://github.com/expressjs/express/pull/5539 https://github.com/koajs/koa/issues/1800 https://expressjs.com/en/4x/api.html#res.location

ghsa
#vulnerability#nodejs#js#git#perl

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-29041

Express.js Open Redirect in malformed URLs

Moderate severity GitHub Reviewed Published Mar 25, 2024 in expressjs/express • Updated Mar 25, 2024

Package

npm express (npm)

Affected versions

< 4.19.2

>= 5.0.0-alpha.1, < 5.0.0-beta.3

Patched versions

4.19.2

5.0.0-beta.3

Description

Published to the GitHub Advisory Database

Mar 25, 2024

Last updated

Mar 25, 2024

Related news

Red Hat Security Advisory 2024-7164-03

Red Hat Security Advisory 2024-7164-03 - The Migration Toolkit for Containers 1.8.4 is now available. Issues addressed include denial of service and password leak vulnerabilities.

Red Hat Security Advisory 2024-6211-03

Red Hat Security Advisory 2024-6211-03 - Red Hat OpenShift Service Mesh Containers for 2.6.1. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-3868-03

Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.