By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-9266

URL Redirect/Open Redirect

Affects

Express

>=3.4.5 <4.0.0

Express

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.

‍

An open redirect vulnerability (CVE-2024-9266) has been identified within the Express 3 Response object.

‍

Per OWASP, open redirection, also referred to as URL redirection, is an input validation flaw that exists when an application accepts user-controlled input that specifies a link which leads to an external URL that could be malicious. This kind of vulnerability could be used to accomplish a phishing attack or redirect a victim to an infection page.

‍

This affects Express versions greater than or equal to 3.4.5 and lower than 4.0.0.

‍

Details

Module Info

Product: Express
Affected component: express
Affected versions: >=3.4.5 <4.0.0
Github repository: https://github.com/expressjs/express
Published Packages: https://www.npmjs.com/package/express
Package manager: npm
Fixed in: Express NES v3.21.4

Vulnerability Info

This Medium-severity vulnerability is found in response.js in the Express package.

Express's location() method in the response object is susceptible to an open redirect when:

a request path begins with double slashes (//)
AND
a relative path for redirection begins with ./ and is provided from user-controlled input
AND
the Location header is set with that user-controlled input

The location() method will extract the path // and prepend it to the relative URL using the resolve() method which evaluates the ./ and returns it as / so the resultant URL for the location redirect becomes something like '///example.com'. This would be evaluated in most browsers as equivalent to //example.com which is a valid scheme-relative-special-url and will be sent in the header as 'Location: ///example.com' and can redirect users to an attacker's site.

Steps To Reproduce

In Express application code, create a path that redirects a user to a location that was provided via a URL query parameter.

app.get('/', function (req, res) {
  const pageId = req.query.pageId;
  if (pageId && pageId[0] === '.') {
    res.status(301).location(pageId);
  }
  res.send('OK');
});

‍

In a browser, visit the Express application route with a query like the following:

http://localhost:3000//?pageId=./example.com

‍

The browser should redirect to https://example.com. The result can also be observed by inspecting the browser’s header details with Chrome DevTools.

Proof Of Concept

A full reproduction with code similar to the above can be found here:
Express 3.x open redirect reproduction

Credits

Matvejs Mascenko (finder)

‍

Mitigation

Express 3 has reached End-of-Life and will not receive any updates to address this issue. For more information see here.

‍

Users of the affected components should apply one of the following mitigations:

Migrate to a newer version of Express.
Leverage a commercial support partner like HeroDevs for post-EOL security support.

Back to Directory

What is a HeroDevs Security Advisory?

Vulnerability Details

CVE-2024-9266

PROJECT Affected

Express

Versions Affected

>=3.4.5 <4.0.0

Published date

October 3, 2024

≈ Fix date

August 23, 2024

Fixed in

Express NES

Severity

Medium