4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-10491

GHSA ID

GHSA-cm5g-3pgc-8rg4

EPSS Score

0.09089%

CWE

CWE-74

Published

10/29/2024

Updated

12/19/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-10491

CVE-2024-10491: Express ressource injection

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.

The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources.

This vulnerability is especially relevant for dynamic parameters.

(GitHub Advisory)

4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-10491

GHSA ID

GHSA-cm5g-3pgc-8rg4

EPSS Score

0.09089%

CWE

CWE-74

Published

10/29/2024

Updated

12/19/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
express	npm	<= 3.21.4	4.0.0-rc1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly identifies the Express.response.links function as the source of improper sanitization. The function's role in building Link headers using dynamic parameters makes it susceptible to injection when special characters are not neutralized. The reproduction examples demonstrate exploitation via this function, and the CWE-74 classification confirms an injection pattern. The file path is inferred from Express's internal structure where response methods are typically defined.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n i**nti*i** in t** *xpr*ss r*spons*.links *un*tion, *llowin* *or *r*itr*ry r*sour** inj**tion in t** Link *****r w**n uns*nitiz** **t* is us**. T** issu* *ris*s *rom improp*r s*nitiz*tion in `Link` *****r v*lu*s, w*i** **n *l

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s t** `*xpr*ss.r*spons*.links` *un*tion *s t** sour** o* improp*r s*nitiz*tion. T** *un*tion's rol* in *uil*in* Link *****rs usin* *yn*mi* p*r*m*t*rs m*k*s it sus**pti*l* to inj**tion w**n sp**i*l *

4

Basic Information

Concerned about an active attack path?

CVE-2024-10491: Express ressource injection

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI