Overview
Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.
An open redirect vulnerability (CVE-2024-9266) has been identified within the Express 3 Response object.
Per OWASP, open redirection, also referred to as URL redirection, is an input validation flaw that exists when an application accepts user-controlled input that specifies a link which leads to an external URL that could be malicious. This kind of vulnerability could be used to accomplish a phishing attack or redirect a victim to an infection page.
This affects Express versions greater than or equal to 3.4.5 and lower than 4.0.0.
Details
Module Info
- Product: Express
- Affected component: express
- Affected versions: >=3.4.5 <4.0.0
- Github repository: https://github.com/expressjs/express
- Published Packages: https://www.npmjs.com/package/express
- Package manager: npm
- Fixed in: Express NES v3.21.4
Vulnerability Info
This Medium-severity vulnerability is found in response.js in the Express package.
Express's location() method in the response object is susceptible to an open redirect when:
- a request path begins with double slashes (//)
AND - a relative path for redirection begins with ./ and is provided from user-controlled input
AND - the Location header is set with that user-controlled input
The location() method will extract the path // and prepend it to the relative URL using the resolve() method which evaluates the ./ and returns it as / so the resultant URL for the location redirect becomes something like '///example.com'. This would be evaluated in most browsers as equivalent to //example.com which is a valid scheme-relative-special-url and will be sent in the header as 'Location: ///example.com' and can redirect users to an attacker's site.
Steps To Reproduce
- In Express application code, create a path that redirects a user to a location that was provided via a URL query parameter.
app.get('/', function (req, res) {
const pageId = req.query.pageId;
if (pageId && pageId[0] === '.') {
res.status(301).location(pageId);
}
res.send('OK');
});
- In a browser, visit the Express application route with a query like the following:
http://localhost:3000//?pageId=./example.com
- The browser should redirect to https://example.com. The result can also be observed by inspecting the browser’s header details with Chrome DevTools.
Proof Of Concept
A full reproduction with code similar to the above can be found here:
Express 3.x open redirect reproduction
Credits
- Matvejs Mascenko (finder)
Mitigation
Express 3 has reached End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate to a newer version of Express.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.