CVE-2024-29041

25.03.2024, 21:15

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GitHub_M	CNA	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 30%

Vendor	Product	Version
openjsf	express	𝑥 < 4.19.2
openjsf	express	5.0.0:alpha1
openjsf	express	5.0.0:alpha2
openjsf	express	5.0.0:alpha3
openjsf	express	5.0.0:alpha4
openjsf	express	5.0.0:alpha5
openjsf	express	5.0.0:alpha6
openjsf	express	5.0.0:alpha7
openjsf	express	5.0.0:alpha8
openjsf	express	5.0.0:beta1
openjsf	express	5.0.0:beta2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-express

bullseye	no-dsa
bookworm	no-dsa
buster	postponed
trixie	4.21.2+~cs8.36.27-2 fixed
forky	5.1.0+~cs12.3.3-1 fixed
sid	5.1.0+~cs12.3.3-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-express

questing	not-affected
plucky	not-affected
oracular	not-affected
noble	not-affected
mantic	ignored
jammy	Fixed 4.17.3+~4.17.13-1ubuntu0.1~esm1 released
focal	Fixed 4.17.1-2ubuntu0.1~esm1 released
bionic	Fixed 4.1.1~dfsg-1ubuntu0.18.04.1~esm1 released
xenial	Fixed 4.1.1~dfsg-1ubuntu0.16.04.1~esm1 released

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://expressjs.com/en/4x/api.html#res.location

https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd

https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94

https://github.com/expressjs/express/pull/5539