CVE-2024-29041

Name of the Vulnerable Software and Affected Versions: Express.js versions prior to 4.19.0 Express.js pre-release alpha and beta versions of 5.0 prior to 5.0.0-beta.3

Description: The issue is related to an open redirect vulnerability using malformed URLs. When Express performs a redirect using a user-provided URL, it encodes the contents using encodeurl before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect().

Recommendations: For Express.js versions prior to 4.19.0, update to version 4.19.2 or later. For Express.js pre-release alpha and beta versions of 5.0, update to version 5.0.0-beta.3 or later. As a temporary workaround, consider pre-parsing the URL string with either require('node:url').parse or new URL before passing the user input string to res.location or res.redirect.