Plateforme
nodejs
Composant
express
Corrigé dans
4.20.1
5.0.1
4.20.0
CVE-2024-43796 describes a cross-site scripting (XSS) vulnerability affecting versions of Express.js prior to 4.20.0. This vulnerability allows an attacker to inject malicious scripts into web pages, potentially leading to session hijacking or defacement. Affected versions include all releases before 4.20.0. A patch is available in version 4.20.0, and workarounds are recommended for those unable to immediately upgrade.
The vulnerability arises because Express.js, a popular Node.js web application framework, does not adequately sanitize user-controlled input before passing it to the response.redirect() function. An attacker who can control the input to response.redirect() can inject arbitrary JavaScript code. This code will then be executed in the context of the user's browser when the redirect occurs. Successful exploitation could allow an attacker to steal session cookies, redirect users to malicious websites, or modify the content of the page being displayed. The blast radius is significant, as any application using vulnerable versions of Express.js is potentially at risk. This is particularly concerning for applications that rely on user-supplied data for redirection purposes.
CVE-2024-43796 was publicly disclosed on September 10, 2024. There is no indication of this vulnerability being actively exploited at this time. The CVSS score is 5 (Medium), indicating a moderate level of severity. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it likely that POCs will emerge. It is not listed on the CISA KEV catalog.
Web applications built using Express.js versions prior to 4.20.0 are at risk. This includes applications that handle user-supplied data and use response.redirect() for navigation or redirection purposes. Shared hosting environments where multiple applications share the same Express.js installation are particularly vulnerable, as a compromise in one application could potentially affect others.
• nodejs / server:
npm list express• nodejs / server:
npm audit express• generic web:
Inspect application logs for unusual redirect patterns or error messages related to response.redirect().
• generic web:
Review code for instances where user input is directly passed to response.redirect() without proper sanitization.
disclosure
Statut de l'Exploit
EPSS
0.12% (percentile 31%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-43796 is to upgrade to Express.js version 4.20.0 or later, which contains the fix. If upgrading is not immediately feasible, a workaround involves rigorously validating any user-supplied input before passing it to response.redirect(). Implement an explicit allowlist of acceptable characters or patterns to prevent malicious code injection. Consider using a web application firewall (WAF) with XSS filtering rules to provide an additional layer of defense. Regularly review and update input validation routines to ensure they remain effective against evolving attack techniques. After upgrade, confirm by attempting a redirect with a known malicious payload and verifying it is properly sanitized.
Actualice la versión de Express a la 4.20.0 o superior. Esto corrige la vulnerabilidad XSS en la función response.redirect(). Asegúrese de probar la aplicación después de la actualización para verificar que no haya problemas de compatibilidad.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-43796 is a cross-site scripting (XSS) vulnerability affecting Express.js versions before 4.20.0, allowing attackers to inject malicious scripts via the response.redirect() function.
You are affected if your application uses Express.js versions earlier than 4.20.0 and handles user-controlled input that is passed to response.redirect().
Upgrade to Express.js version 4.20.0 or later. As a workaround, validate user input against an explicit allowlist before using it in response.redirect().
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the Express.js GitHub repository and related security advisories for the latest information: https://github.com/expressjs/express
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.