Plataforma
nodejs
Componente
serve-static
Corrigido em
1.16.1
2.0.1
1.16.0
CVE-2024-43800 describes a cross-site scripting (XSS) vulnerability within the serve-static Node.js module. This vulnerability allows an attacker to potentially execute arbitrary code by manipulating input passed to the response.redirect() function, even after sanitization attempts. The vulnerability affects versions 1.15.0 and earlier, and a patch is available in version 1.16.0.
The core of the vulnerability lies in the improper handling of user-controlled input within the response.redirect() function. Even after sanitization, the input can still be exploited to trigger code execution within the context of the application. A successful attacker could inject malicious scripts that are then executed in the user's browser, potentially leading to session hijacking, data theft, or defacement of the web application. The requirement for the attacker to control the input and for express not to redirect before the template appears adds a layer of complexity, but doesn't negate the risk.
CVE-2024-43800 was publicly disclosed on September 10, 2024. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests that they could be developed relatively easily. The CVSS score of 5 (Medium) reflects the potential impact and the relatively low complexity of exploitation.
Applications utilizing the serve-static Node.js module, particularly those that dynamically generate redirects based on user-supplied data, are at risk. This includes web applications with user-controlled URL parameters or form inputs that are used in redirect operations. Shared hosting environments where developers may not have control over all dependencies are also at increased risk.
• nodejs / server:
npm list serve-staticThis command checks the installed version of serve-static in your project. If the version is less than 1.16.0, you are vulnerable.
• nodejs / server:
grep -r 'response.redirect(' . Search your codebase for instances of response.redirect() to identify potential vulnerable areas. Review the input validation logic surrounding these calls.
• nodejs / server:
find . -name 'package-lock.json' -exec grep serve-static/1.15.0 \;This command searches for serve-static/1.15.0 in your package-lock.json file, indicating a vulnerable dependency.
disclosure
Status do Exploit
EPSS
0.92% (percentil 76%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-43800 is to upgrade to version 1.16.0 of the serve-static module. This patched version addresses the vulnerability by implementing proper input validation and sanitization. If upgrading is not immediately feasible, a workaround involves rigorously validating all user inputs against an explicit allowlist before passing them to response.redirect(). This ensures that only trusted data is used, preventing the injection of malicious scripts. Thorough testing of the application after implementing any workaround is crucial to confirm its effectiveness.
Actualice la dependencia serve-static a la versión 1.16.0 o superior. Esto puede hacerse ejecutando `npm install serve-static@latest` o `yarn upgrade serve-static@latest` en su proyecto. Asegúrese de probar la aplicación después de la actualización para verificar que no haya problemas de compatibilidad.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-43800 is a cross-site scripting (XSS) vulnerability in the serve-static Node.js module, allowing potential code execution via manipulated input to response.redirect().
You are affected if you are using serve-static version 1.15.0 or earlier. Check your project dependencies to determine your version.
Upgrade to serve-static version 1.16.0 or implement strict input validation with an allowlist before using response.redirect().
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited.
Refer to the project's repository or related security advisories for the most up-to-date information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.