CVE-2024-9266

URL Redirect/Open Redirect
Affects
Express
>=3.4.5 <4.0.0
in
Express
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.

An open redirect vulnerability (CVE-2024-9266) has been identified within the Express 3 Response object.

Per OWASP, open redirection, also referred to as URL redirection, is an input validation flaw that exists when an application accepts user-controlled input that specifies a link which leads to an external URL that could be malicious. This kind of vulnerability could be used to accomplish a phishing attack or redirect a victim to an infection page.

This affects Express versions greater than or equal to 3.4.5 and lower than 4.0.0.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in response.js in the Express package.  

Express's location() method in the response object is susceptible to an open redirect when:

  1. a request path begins with double slashes (//)
    AND
  2. a relative path for redirection begins with ./ and is provided from user-controlled input
    AND
  3. the Location header is set with that user-controlled input

The location() method will extract the path // and prepend it to the relative URL using the resolve() method which evaluates the ./ and returns it as / so the resultant URL for the location redirect becomes something like '///example.com'. This would be evaluated in most browsers as equivalent to //example.com which is a valid scheme-relative-special-url and will be sent in the header as 'Location: ///example.com' and can redirect users to an attacker's site.

Steps To Reproduce

  • In Express application code, create a path that redirects a user to a location that was provided via a URL query parameter.
app.get('/', function (req, res) {
  const pageId = req.query.pageId;
  if (pageId && pageId[0] === '.') {
    res.status(301).location(pageId);
  }
  res.send('OK');
});

  • In a browser, visit the Express application route with a query like the following:
http://localhost:3000//?pageId=./example.com

  • The browser should redirect to https://example.com. The result can also be observed by inspecting the browser’s header details with Chrome DevTools.

Proof Of Concept

A full reproduction with code similar to the above can be found here:
Express 3.x open redirect reproduction

Credits

  • Matvejs Mascenko (finder)

Mitigation

Express 3 has reached End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate to a newer version of Express.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Vulnerability Details
ID
CVE-2024-9266
PROJECT Affected
Express
Versions Affected
>=3.4.5 <4.0.0
Published date
October 3, 2024
≈ Fix date
August 23, 2024
Fixed in
Severity
Medium
Category
URL Redirect/Open Redirect