CVE-2024-43796
published 2024-09-10CVE-2024-43796: Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute…
PriorityP421medium4.7CVSS 3.1
AVNACHPRNUIRSCCLILAN
EPSS
0.46%
36.4th percentile
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-express | < node-express 4.21.0+~cs8.36.26-1 (forky) | node-express 4.21.0+~cs8.36.26-1 (forky) |
| express | express | >= 0 < 4.20.0 | 4.20.0 |
| express | express | >= 5.0.0-alpha.1 < 5.0.0 | 5.0.0 |
| expressjs | express | < 4.20.0 | 4.20.0 |
| expressjs | express | — | — |
| msrc | azl3_python-tensorboard_2.16.2-5_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_reaper_3.1.1-12_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-18_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| openjsf | express | < 4.20.0 | 4.20.0 |
| openjsf | express | — | — |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_ubuntu6.1MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_msrc4.7MEDIUM
vendor_oracle4.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Express.js) — CVE-2024-43796
vendor_oracle·2026-01-15·CVSS 4.7
CVE-2024-43796 [MEDIUM] Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Express.js) — CVE-2024-43796
Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Express.js) vulnerability
CVE: CVE-2024-43796
CVSS: 4.7
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Oracle
Oracle Oracle Communications Risk Matrix: User Interface (Express.js) — CVE-2024-43796
vendor_oracle·2025-07-15·CVSS 4.7
CVE-2024-43796 [MEDIUM] Oracle Oracle Communications Risk Matrix: User Interface (Express.js) — CVE-2024-43796
Oracle Oracle Communications Risk Matrix: User Interface (Express.js) vulnerability
CVE: CVE-2024-43796
CVSS: 4.7
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Ubuntu
Express vulnerabilities
vendor_ubuntu·2025-06-19·CVSS 6.1
CVE-2024-29041 [MEDIUM] Express vulnerabilities
Title: Express vulnerabilities
Summary: Several security issues were fixed in Express.
It was discovered that Express incorrectly handled certain URLs, leading
to an open redirect attack. A remote attacker could possibly use this
issue to perform phishing attacks. (CVE-2024-29041)
Adam Korcz discovered that Express did not properly sanitize certain
inputs. A remote attacker could possibly use this issue to perform cross
site scripting. (CVE-2024-43796)
Instructions: In general, a standard system update will make all the necessary changes.
Oracle
Oracle Oracle Communications Applications Risk Matrix: User Interface (Express.js) — CVE-2024-43796
vendor_oracle·2025-04-15·CVSS 4.7
CVE-2024-43796 [MEDIUM] Oracle Oracle Communications Applications Risk Matrix: User Interface (Express.js) — CVE-2024-43796
Oracle Oracle Communications Applications Risk Matrix: User Interface (Express.js) vulnerability
CVE: CVE-2024-43796
CVSS: 4.7
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2025 (APR 2025)
Microsoft
express vulnerable to XSS via response.redirect()
vendor_msrc·2024-09-10·CVSS 4.7
CVE-2024-43796 [MEDIUM] CWE-79 express vulnerable to XSS via response.redirect()
express vulnerable to XSS via response.redirect()
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn
Red Hat
express: Improper Input Handling in Express Redirects
vendor_redhat·2024-09-10·CVSS 5.0
CVE-2024-43796 [MEDIUM] CWE-79 express: Improper Input Handling in Express Redirects
express: Improper Input Handling in Express Redirects
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
A flaw was found in Express. This vulnerability allows untrusted code execution via passing untrusted user input to response.redirect(), even if the input is sanitized.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: express (Cryostat 3) - Fix deferred
Package: openshift-logging/logging-view-plugin-rhel8 (Logging Su
Debian
CVE-2024-43796: node-express - Express.js minimalist web framework for node. In express < 4.20.0, passing untru...
vendor_debian·2024·CVSS 5.0
CVE-2024-43796 [MEDIUM] CVE-2024-43796: node-express - Express.js minimalist web framework for node. In express < 4.20.0, passing untru...
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.21.0+~cs8.36.26-1)
sid: resolved (fixed in 4.21.0+~cs8.36.26-1)
trixie: resolved (fixed in 4.21.0+~cs8.36.26-1)
OSV
node-express vulnerabilities
osv·2025-06-19·CVSS 6.1
CVE-2024-29041 [MEDIUM] node-express vulnerabilities
node-express vulnerabilities
It was discovered that Express incorrectly handled certain URLs, leading
to an open redirect attack. A remote attacker could possibly use this
issue to perform phishing attacks. (CVE-2024-29041)
Adam Korcz discovered that Express did not properly sanitize certain
inputs. A remote attacker could possibly use this issue to perform cross
site scripting. (CVE-2024-43796)
OSV
CVE-2024-43796: Express
osv·2024-09-10·CVSS 4.7
CVE-2024-43796 [MEDIUM] CVE-2024-43796: Express
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
OSV
express vulnerable to XSS via response.redirect()
osv·2024-09-10
CVE-2024-43796 [LOW] express vulnerable to XSS via response.redirect()
express vulnerable to XSS via response.redirect()
### Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code
### Patches
this issue is patched in express 4.20.0
### Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
### Details
successful exploitation of this vector requires the following:
1. The attacker MUST control the input to response.redirect()
1. express MUST NOT redirect before the template appears
1. the browser MUST NOT complete redirection before:
1. the user MUST click on the link in the template
GHSA
express vulnerable to XSS via response.redirect()
ghsa·2024-09-10
CVE-2024-43796 [LOW] CWE-79 express vulnerable to XSS via response.redirect()
express vulnerable to XSS via response.redirect()
### Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code
### Patches
this issue is patched in express 4.20.0
### Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
### Details
successful exploitation of this vector requires the following:
1. The attacker MUST control the input to response.redirect()
1. express MUST NOT redirect before the template appears
1. the browser MUST NOT complete redirection before:
1. the user MUST click on the link in the template
No detection rules found.
No public exploits indexed.
2024-09-10
Published