CVE-2024-43799: Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes…

CVE-2024-43799 [MEDIUM] CVE-2024-43799: Send is a library for streaming files from the file system as a http response Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

CVE-2024-43799 [LOW] CWE-79 send vulnerable to template injection that can lead to XSS send vulnerable to template injection that can lead to XSS ### Impact passing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code ### Patches this issue is patched in send 0.19.0 ### Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist ### Details successful exploitation of this vector requires the following: 1. The attacker MUST control the input to response.redirect() 1. express MUST NOT redirect before the template appears 1. the browser MUST NOT complete redirection before: 1. the user MUST click on the link in the template

CVE-2024-43799 [LOW] send vulnerable to template injection that can lead to XSS send vulnerable to template injection that can lead to XSS ### Impact passing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code ### Patches this issue is patched in send 0.19.0 ### Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist ### Details successful exploitation of this vector requires the following: 1. The attacker MUST control the input to response.redirect() 1. express MUST NOT redirect before the template appears 1. the browser MUST NOT complete redirection before: 1. the user MUST click on the link in the template

CVE-2024-43799 [MEDIUM] CWE-79 send vulnerable to template injection that can lead to XSS send vulnerable to template injection that can lead to XSS FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this. Mariner: Mariner GitHub_M: GitHub_M Customer Action Required: Yes Remediation: CBL-Mariner Releases Reference: http

CVE-2024-43799 [MEDIUM] CWE-79 send: Code Execution Vulnerability in Send Library send: Code Execution Vulnerability in Send Library Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Package: send (Cryostat 3) - Fix deferred Package: openshift-logging/logging-view-plugin-rhel8 (Logging Subsystem for Red Hat OpenShift) - N

CVE-2024-43799 [MEDIUM] CVE-2024-43799: node-send - Send is a library for streaming files from the file system as a http response. S... Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. Scope: local bookworm: resolved (fixed in 0.18.0+~cs1.19.1-3+deb12u1) bullseye: resolved (fixed in 0.17.1-2+deb11u1) forky: resolved (fixed in 1.1.0+~cs1.19.4-1) sid: resolved (fixed in 1.1.0+~cs1.19.4-1) trixie: resolved (fixed in 1.1.0+~cs1.19.4-1)

CVE-2024-43799 [MEDIUM] CVE-2024-43799 send: Code Execution Vulnerability in Send Library CVE-2024-43799 send: Code Execution Vulnerability in Send Library Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. Discussion: This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.4 for RHEL 8 Via RHSA-2024:7724 https://access.redhat.com/errata/RHSA-2024:7724 --- This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.6 for RHEL 8 Red Hat OpenShift Service Mesh 2.6 for RHEL 9 Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726 --- This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.5 for RHEL 8 Via RH