Overview
Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.
A Resource Injection vulnerability (CVE-2024-47764) has been identified within the Express 3 Response object via the cookie dependency.
Per MITRE: Resource Injection happens when the application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
In this instance, browser cookies are the affected resource and an attacker can utilize untrusted user input that is used by the application to set a cookie name, path, or domain. A combination of extra = and ; characters can be used to store malicious data in the value of a new and unexpected cookie which could result in Reflected XSS. The actual vulnerability exists in the jshttp/cookie library that Express depends on for cookie management.
This affects Express versions 3.0.0-alpha1 to 3.21.2, 4.0.0-rc1 to 4.21.0, and 5.0.0-alpha.1 to 5.0.0 based on a cookie dependency less than version 0.7.0.
Details
Module Info
- Product: Express
- Affected component: express (via cookie)
- Affected versions: >=3.0.0-alpha1 <=3.21.2, >=4.0.0-rc1 <4.21.1, >=5.0.0-alpha.1 <5.0.1
- Github repository: https://github.com/expressjs/express, https://github.com/jshttp/cookie
- Published Packages: https://www.npmjs.com/package/express, https://www.npmjs.com/package/cookie
- Package manager: npm
Vulnerability Info
Express's cookie() and clearCookie() methods in the response object are susceptible to Resource Injection when using untrusted user input to set cookie name, path, or domain. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Steps to Reproduce
1. Create a simple Express application route to handle the request.
This Express code illustrates dynamically setting the cookie name from the URL parameter.tion of extra = and ; characters can be used to break out of the intended cookie context and store malicious data in the value of a new cookie named userId.
app.get('/', function (req, res) {
res.cookie(req.query.cookieName);
res.send('cookie set');
});
2. With a browser, visit the exploitable route.
This link demonstrates untrusted user input delivered as a URL parameter. A combination of extra = and ; characters can be used to break out of the intended cookie context and store malicious data in the value of a new cookie named userId
http://localhost:3000/?cookieName=userId=<script>alert(1)</script>;+Max-Age=2592000;+a
3. Using Chrome DevTools, inspect the Network or Applications tabs to see the new cookie being set.
Proof Of Concept
A full reproduction with code similar to the above can be found here:
Express 3.x Arbitrary Cookie Injection POC
Credits
Mitigation
Express 3 has reached End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications away from Express 3.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.