4.20.1
5.0.1
4.20.0
CVE-2024-43796 describes a cross-site scripting (XSS) vulnerability affecting versions of Express.js prior to 4.20.0. This vulnerability allows an attacker to inject malicious scripts into web pages, potentially leading to session hijacking or defacement. Affected versions include all releases before 4.20.0. A patch is available in version 4.20.0, and workarounds are recommended for those unable to immediately upgrade.
The vulnerability arises because Express.js, a popular Node.js web application framework, does not adequately sanitize user-controlled input before passing it to the response.redirect() function. An attacker who can control the input to response.redirect() can inject arbitrary JavaScript code. This code will then be executed in the context of the user's browser when the redirect occurs. Successful exploitation could allow an attacker to steal session cookies, redirect users to malicious websites, or modify the content of the page being displayed. The blast radius is significant, as any application using vulnerable versions of Express.js is potentially at risk. This is particularly concerning for applications that rely on user-supplied data for redirection purposes.
CVE-2024-43796 was publicly disclosed on September 10, 2024. There is no indication of this vulnerability being actively exploited at this time. The CVSS score is 5 (Medium), indicating a moderate level of severity. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it likely that POCs will emerge. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-43796 is to upgrade to Express.js version 4.20.0 or later, which contains the fix. If upgrading is not immediately feasible, a workaround involves rigorously validating any user-supplied input before passing it to response.redirect(). Implement an explicit allowlist of acceptable characters or patterns to prevent malicious code injection. Consider using a web application firewall (WAF) with XSS filtering rules to provide an additional layer of defense. Regularly review and update input validation routines to ensure they remain effective against evolving attack techniques. After upgrade, confirm by attempting a redirect with a known malicious payload and verifying it is properly sanitized.
Update the version of Express to 4.20.0 or higher. This corrects the XSS vulnerability in the response.redirect() function. Ensure you test the application after the update to verify there are no compatibility issues.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-43796 is a cross-site scripting (XSS) vulnerability affecting Express.js versions before 4.20.0, allowing attackers to inject malicious scripts via the response.redirect() function.
You are affected if your application uses Express.js versions earlier than 4.20.0 and handles user-controlled input that is passed to response.redirect().
Upgrade to Express.js version 4.20.0 or later. As a workaround, validate user input against an explicit allowlist before using it in response.redirect().
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the Express.js GitHub repository and related security advisories for the latest information: https://github.com/expressjs/express
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.