CVE-2024-43796

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Express.js versions prior to 4.20.0

Description The issue concerns the execution of untrusted code when passing untrusted user input to the response.redirect() function in Express.js, even after sanitizing the input. This can occur when an attacker controls the input to response.redirect(), Express.js does not redirect before the template appears, and the browser does not complete redirection before the user clicks on the link in the template.

Recommendations For Express.js versions prior to 4.20.0, upgrade to version 4.20.0 to patch the issue. As a temporary workaround, ensure any untrusted inputs are safe by validating them against an explicit allowlist before passing them to the response.redirect() function.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

AZL-49053

AZL-49091

AZL-49135

AZL-49152

CVE-2024-43796

GHSA-QW6H-VGH9-J6WX

USN-7581-1

Affected Products

Debian

Express.Js

Linuxmint

Ubuntu

CVE-2024-43796

Weakness Enumeration

Related Identifiers

Affected Products

References · 25