Fdrag0N

Name of the Vulnerable Software and Affected Versions: Express.js versions prior to 4.19.0 Express.js pre-release alpha and beta versions of 5.0 prior to 5.0.0-beta.3 Description: The issue is related to an open redirect vulnerability using malformed URLs. When Express performs a redirect using a user-provided URL, it encodes the contents using `encodeurl` before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. Recommendations: For Express.js versions prior to 4.19.0, update to version 4.19.2 or later. For Express.js pre-release alpha and beta versions of 5.0, update to version 5.0.0-beta.3 or later. As a temporary workaround, consider pre-parsing the URL string with either `require('node:url').parse` or `new URL` before passing the user input string to `res.location` or `res.redirect`.