PT-2021-19565 · Slashify · Slashify

Max Schaefer

+1

·

Published

2021-02-05

·

Updated

2022-05-24

·

CVE-2021-3189

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions: slashify version 1.0.0
Description: The issue allows open-redirect attacks. It is an Express middleware that normalises routes by stripping any final slash and redirects without validating the path. For example, visiting a URL like 'localhost:3000///github.com/' can redirect to 'https://github.com'.
Recommendations: For version 1.0.0, discontinuing use of the slashify package is recommended as there is no known safe version of this package.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2021-3189
GHSA-F4HQ-453J-P95F

Affected Products

Slashify