Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-43796

Cross-Site Scripting
Affects
Express
>=3.0.0-alpha1, <=3.21.2, >=4.0.0-rc1, <4.20.0, >=5.0.0-alpha.1 <5.0.0
in
Express
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.

An Cross-Site Scripting (XSS) vulnerability (CVE-2024-43796) has been identified within the Express 3 Response object.

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

This affects Express versions greater than or equal to 3.0.0-alpha1, but less than 4.20.0 and greater than or equal to 5.0.0-alpha.1, but less than 5.0.0.

Details

Module Info

Vulnerability Info

Express's redirect() method in the response object is susceptible to an XSS vulnerability when passing untrusted user input. Even after sanitizing it, response.redirect() may execute untrusted code.

The redirect() method reflects back the target URL string for HTML responses and uses it as the link and text for an HTML anchor. For status codes that might not automatically redirect in the browser, the anchor tag will be rendered and can deliver XSS content.

Steps to Reproduce

  1. Create a simple Express application route to handle the request.
    This Express code illustrates dynamically setting the redirect target from the URL parameter.

    app.get('/', function (req, res) {
  const url = req.query.url || '';
  res.redirect(404, url);  // using 404 to avoid browser redirection
});
  2. With a browser, visit the exploitable route.
    This link demonstrates untrusted user input delivered as a URL parameter. Placing the //:// at the end bypasses the relative URL check and allows the input URL to be rendered without a leading slash.
    http://localhost:3000/?url=javascript:alert(1)//://
  3. Click the returned link in the message. It should fire the XSS JavaScript alert.

Proof Of Concept

A full reproduction with code similar to the above can be found here:

Express 3.x XSS via response.redirect() POC

Credits

Mitigation

Express 3 has reached End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate to a newer version of Express.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2024-43796
CVE-2024-9266
HD-2024-1410
CVE-2024-10491
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-43796
PROJECT Affected
Express
Versions Affected
>=3.0.0-alpha1, <=3.21.2, >=4.0.0-rc1, <4.20.0, >=5.0.0-alpha.1 <5.0.0
Published date
September 10, 2024
≈ Fix date
October 17, 2024
Fixed in
Express NES
Severity
Medium
Category
Cross-Site Scripting