CVE-2024-43800

Name of the Vulnerable Software and Affected Versions serve-static versions prior to 1.16.0

Description The issue allows execution of untrusted code by passing untrusted user input to the redirect() function, even after sanitizing it. This can be exploited if an attacker controls the input to response.redirect(), express does not redirect before the template appears, and the browser does not complete redirection before the user clicks on the link in the template.

Recommendations For versions prior to 1.16.0, upgrade to serve-static 1.16.0 to patch the issue. As a temporary workaround, ensure any untrusted inputs are safe by validating them against an explicit allowlist.