CVE-2024-10491 — Injection in Express

CWE-74 — Injection7 documents6 sources

Severity

5.3MEDIUMNVD

CNA4.0

EPSS

0.3%

top 43.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openjsf Express Express

Timeline

PublishedOct 29

Description

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDopenjsf/express3.0.0 — 3.21.5

▶npmexpress/express< 4.0.0-rc1

▶CVEListV5express/express3.0.0-alpha1 — 3.21.2

🔴Vulnerability Details

OSV

Express ressource injection↗2024-10-29

▶

CVEList

Preload arbitrary resources by injecting additional `Link` headers↗2024-10-29

▶

GHSA

Express ressource injection↗2024-10-29

▶

OSV

CVE-2024-10491: A vulnerability has been identified in the Express response↗2024-10-29

▶

📋Vendor Advisories

Red Hat

express: Preload arbitrary resources by injecting additional `Link` headers↗2024-10-29

▶

Debian

CVE-2024-10491: node-express - A vulnerability has been identified in the Express response.links function, allo...↗2024

▶