Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-9266

URL Redirect/Open Redirect
Affects
Express
>=3.4.5 <4.0.0
in
Express
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.

An open redirect vulnerability (CVE-2024-9266) has been identified within the Express 3 Response object

Per OWASP, open redirection, also referred to as URL redirection, is an input validation flaw that exists when an application accepts user-controlled input that specifies a link which leads to an external URL that could be malicious. This kind of vulnerability could be used to accomplish a phishing attack or redirect a victim to an infection page.

This affects Express versions greater than or equal to 3.4.5 and lower than 4.0.0.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in response.js in the Express package.  

Express's location() method in the response object is susceptible to an open redirect when:

  1. a request path begins with double slashes (//)
    AND
  2. a relative path for redirection begins with ./ and is provided from user-controlled input
    AND
  3. the Location header is set with that user-controlled input

The location() method will extract the path // and prepend it to the relative URL using the resolve() method which evaluates the ./ and returns it as / so the resultant url for the location redirect becomes something like ’///example.com’. This would be evaluated in most browsers as equivalent to `//example.com` which is a valid scheme-relative-special-url and will be sent in the header as ‘Location: ///example.com’ and can redirect users to an attacker’s site.

Steps to Reproduce

  • In Express application code, create a path that redirects a user to a location that was provided via a URL query parameter. 
app.get(['/'], function (req, res) { 
  const pageId = req.query.pageId;
  if (pageId && pageId[0] == '.') { 
    res.status(301).location(pageId); 
  }
  res.send('OK'); 
});

  • In a browser, visit the Express application route with a query like the following:
http://localhost:3000//?pageId=./example.com

  • The browser should redirect to https://example.com. The result can also be observed by inspecting the browser’s header details with Chrome DevTools.

Proof Of Concept

A full reproduction with code similar to the above can be found here:
Express 3.x open redirect reproduction

Credits

  • Matvejs Mascenko (finder)

Mitigation

Express 3 has reached End-of-Life and will not receive any updates to address this issue.

Users of the affected components should apply one of the following mitigations:

  • Migrate to a newer version of Express
  • Apply their own patch
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2024-9266
PROJECT Affected
Express
Versions Affected
>=3.4.5 <4.0.0
Published date
October 3, 2024
≈ Fix date
August 23, 2024
Fixed in
Express NES
Severity
Medium
Category
URL Redirect/Open Redirect