6.1

CVSS Score

Basic Information

CVE ID

CVE-2021-3189

GHSA ID

GHSA-f4hq-453j-p95f

EPSS Score

CWE

CWE-601

Published

2/5/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-3189

CVE-2021-3189:
Open redirect in Slashify

The package is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, bookings/latest/ to bookings/latest. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes (or two backslashes, or a slash and a backslash, etc.) it may redirect to a different domain.

Consider the example from the docs. Assume we have run it and started a server on localhost:3000, then visiting localhost:3000///github.com/ redirects you to https://github.com.

Recommendation

This vulnerability is currently un-patched in the slashify package so there is no known safe version of this package. Discontinuing use of slashify is recommended.

(GitHub Advisory)

6.1

CVSS Score

Basic Information

CVE ID

CVE-2021-3189

GHSA ID

GHSA-f4hq-453j-p95f

EPSS Score

CWE

CWE-601

Published

2/5/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
slashify	npm	<= 1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the core middleware functionality in index.js that handles URL normalization. The package's purpose is to strip trailing slashes but fails to validate the resulting path after modification. When given paths like '///github.com/', it removes the trailing slash but leaves '//github.com' which browsers interpret as a protocol-relative URL. The main exported middleware function directly handles this path manipulation and redirection logic without any validation checks for absolute URLs or domain boundaries, making it clearly vulnerable to open redirects.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** is *n *xpr*ss mi**l*w*r* t**t norm*lis*s rout*s *y strippin* *ny *in*l sl*s*, r**ir**tin*, *or *x*mpl*, `*ookin*s/l*t*st/` to `*ookin*s/l*t*st`. *ow*v*r, it *o*s not v*li**t* t** p*t* it r**ir**ts to in *ny w*y. In p*rti*ul*r, i* t** p*t*

Reasoning

T** vuln*r**ility st*ms *rom t** *or* mi**l*w*r* *un*tion*lity in in**x.js t**t **n*l*s URL norm*liz*tion. T** p**k***'s purpos* is to strip tr*ilin* sl*s**s *ut **ils to v*li**t* t** r*sultin* p*t* **t*r mo*i*i**tion. W**n *iv*n p*t*s lik* '///*it*u

6.1

Basic Information

Concerned about an active attack path?

CVE-2021-3189: Open redirect in Slashify

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-3189:
Open redirect in Slashify

Vulnerability Intelligence
Miggo AI