Homepage
About Snyk

Open Redirect Affecting express package, versions <4.19.2 >=5.0.0-alpha.1 <5.0.0-beta.3

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-EXPRESS-6474509
  • published 26 Mar 2024
  • disclosed 20 Mar 2024
  • credit FDrag0n
Report a new vulnerability Found a mistake?

Introduced: 20 Mar 2024

CVE-2024-29041 Open this link in a new tab
CWE-601 Open this link in a new tab

How to fix?

Upgrade express to version 4.19.2, 5.0.0-beta.3 or higher.

Overview

express is a minimalist web framework.

Affected versions of this package are vulnerable to Open Redirect due to the implementation of URL encoding using encodeurl before passing it to the location header. This can lead to unexpected evaluations of malformed URLs by common redirect allow list implementations in applications, allowing an attacker to bypass a properly implemented allow list and redirect users to malicious sites.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
6.1 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

Red Hat

6.1 medium