CVE-2024-29041
CVSS V2 None
CVSS V3 None
Description
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Overview
- CVE ID
- CVE-2024-29041
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-03-25T20:20:06.205Z
- Last Modified Date
- 2024-06-04T17:57:16.909Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc | x_refsource_CONFIRM |
| https://github.com/koajs/koa/issues/1800 | x_refsource_MISC |
| https://github.com/expressjs/express/pull/5539 | x_refsource_MISC |
| https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd | x_refsource_MISC |
| https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94 | x_refsource_MISC |
| https://expressjs.com/en/4x/api.html#res.location | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-29041 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29041 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 02:36:16 | Added to TrackCVE |