You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is res.location() but this is also called from within res.redirect().
An initial fix went out with [email protected], we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.
Workarounds
The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.
Repositories:
testcafe-hammerhead- https://github.com/PavelMor25/testcafe-hammerhead/security/dependabot/10Package:
expressDescription:
Impact
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using
encodeurlon the contents before passing it to thelocationheader. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.The main method impacted is
res.location()but this is also called from withinres.redirect().Patches
expressjs/express@0867302
expressjs/express@0b74695
An initial fix went out with
[email protected], we then patched a feature regression in4.19.1and added improved handling for the bypass in4.19.2.Workarounds
The fix for this involves pre-parsing the url string with either
require('node:url').parseornew URL. These are steps you can take on your own before passing the user input string tores.locationorres.redirect.References
expressjs/express#5539
koajs/koa#1800
https://expressjs.com/en/4x/api.html#res.location
CVE ID:
CVE-2024-29041GHSA ID:
GHSA-rv95-896h-c2vcThe text was updated successfully, but these errors were encountered: