CVE-2024-29041
published 2024-03-25CVE-2024-29041: Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.79%
51.5th percentile
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-express | < node-express 4.19.2+~cs8.36.21-1 (forky) | node-express 4.19.2+~cs8.36.21-1 (forky) |
| express | express | >= 0 < 4.19.2 | 4.19.2 |
| express | express | >= 5.0.0-alpha.1 < 5.0.0-beta.3 | 5.0.0-beta.3 |
| expressjs | express | — | — |
| expressjs | express | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | cbl2_reaper_3.1.1-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| openjsf | express | < 4.19.2 | 4.19.2 |
| openjsf | express | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_oracle6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
node-express vulnerabilities
osv·2025-06-19·CVSS 6.1
CVE-2024-29041 [MEDIUM] node-express vulnerabilities
node-express vulnerabilities
It was discovered that Express incorrectly handled certain URLs, leading
to an open redirect attack. A remote attacker could possibly use this
issue to perform phishing attacks. (CVE-2024-29041)
Adam Korcz discovered that Express did not properly sanitize certain
inputs. A remote attacker could possibly use this issue to perform cross
site scripting. (CVE-2024-43796)
OSV
Express.js Open Redirect in malformed URLs
osv·2024-03-25
CVE-2024-29041 [MEDIUM] Express.js Open Redirect in malformed URLs
Express.js Open Redirect in malformed URLs
### Impact
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is `res.location()` but this is also called from within `res.redirect()`.
### Patches
https://github.com/expressjs/expr
GHSA
Express.js Open Redirect in malformed URLs
ghsa·2024-03-25
CVE-2024-29041 [MEDIUM] CWE-1286 Express.js Open Redirect in malformed URLs
Express.js Open Redirect in malformed URLs
### Impact
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is `res.location()` but this is also called from within `res.redirect()`.
### Patches
https://github.com/expressjs/expr
OSV
CVE-2024-29041: Express
osv·2024-03-25·CVSS 6.1
CVE-2024-29041 [MEDIUM] CVE-2024-29041: Express
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Ubuntu
Express vulnerabilities
vendor_ubuntu·2025-06-19·CVSS 6.1
CVE-2024-29041 [MEDIUM] Express vulnerabilities
Title: Express vulnerabilities
Summary: Several security issues were fixed in Express.
It was discovered that Express incorrectly handled certain URLs, leading
to an open redirect attack. A remote attacker could possibly use this
issue to perform phishing attacks. (CVE-2024-29041)
Adam Korcz discovered that Express did not properly sanitize certain
inputs. A remote attacker could possibly use this issue to perform cross
site scripting. (CVE-2024-43796)
Instructions: In general, a standard system update will make all the necessary changes.
Oracle
Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Express.js) — CVE-2024-29041
vendor_oracle·2025-01-15·CVSS 6.1
CVE-2024-29041 [MEDIUM] Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Express.js) — CVE-2024-29041
Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Express.js) vulnerability
CVE: CVE-2024-29041
CVSS: 6.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2025 (JAN 2025)
Red Hat
express: cause malformed URLs to be evaluated
vendor_redhat·2024-03-25·CVSS 6.1
CVE-2024-29041 [MEDIUM] CWE-601 express: cause malformed URLs to be evaluated
express: cause malformed URLs to be evaluated
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is
Microsoft
Express.js Open Redirect in malformed URLs
vendor_msrc·2024-03-12·CVSS 6.1
CVE-2024-29041 [MEDIUM] CWE-601 Express.js Open Redirect in malformed URLs
Express.js Open Redirect in malformed URLs
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.micros
Debian
CVE-2024-29041: node-express - Express.js minimalist web framework for node. Versions of Express.js prior to 4....
vendor_debian·2024·CVSS 6.1
CVE-2024-29041 [MEDIUM] CVE-2024-29041: node-express - Express.js minimalist web framework for node. Versions of Express.js prior to 4....
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Scope: local
No detection rules found.
No public exploits indexed.
https://expressjs.com/en/4x/api.html#res.locationhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2ddhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94https://github.com/expressjs/express/pull/5539https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vchttps://github.com/koajs/koa/issues/1800https://expressjs.com/en/4x/api.html#res.locationhttps://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2ddhttps://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94https://github.com/expressjs/express/pull/5539https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vchttps://github.com/koajs/koa/issues/1800
2024-03-25
Published