6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-29041

GHSA ID

GHSA-rv95-896h-c2vc

EPSS Score

0.12423%

CWE

CWE-601

Published

3/25/2024

Updated

3/27/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29041

CVE-2024-29041: Express.js Open Redirect in malformed URLs

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94

An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

References

https://github.com/expressjs/express/pull/5539 https://github.com/koajs/koa/issues/1800 https://expressjs.com/en/4x/api.html#res.location

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-29041

CVE-2024-29041:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-29041

GHSA ID

GHSA-rv95-896h-c2vc

EPSS Score

0.12423%

CWE

CWE-601

Published

3/25/2024

Updated

3/27/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
express	npm	< 4.19.2	4.19.2
express	npm	>= 5.0.0-alpha.1, < 5.0.0-beta.3	5.0.0-beta.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis focused on the provided commit patches and the vulnerability description.

Commit 0867302ddbde0e9463d0564fea5861feb708c2dd directly modifies res.location in lib/response.js. The change from return this.set('Location', encodeUrl(loc)); to a more complex handling involving URL parsing and conditional encoding indicates that the original unconditional encoding of the entire URL was the source of the vulnerability. This function processes user-provided URLs and sets the Location header, making it central to the open redirect issue.
Commit 0b746953c4bd8e377123527db11f9cd866e39f94 further refines the fix in res.location by changing how the URL is split and encoded (loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos));). This new logic ensures that encodeUrl is only applied to the path and query parameters, not the scheme or host, preventing the bypass. This confirms that the encoding strategy within res.location was the core problem.
The vulnerability description explicitly states, 'The main method impacted is res.location() but this is also called from within res.redirect().' This makes res.redirect an indirect but critical function in the context of this vulnerability, as it serves as an entry point to the flawed logic in res.location. Both functions are part of lib/response.js in Express.js. The identified functions are those that either contained the flawed logic (res.location) or called the flawed logic with user-controlled input (res.redirect), and would thus appear in a runtime profile during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-29041: Express.js Open Redirect in malformed URLs

Impact

Patches

Workarounds

References

CVE-2024-29041:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-29041: Express.js Open Redirect in malformed URLs

Impact

Patches

Workarounds

References

Basic Information

Basic Information

Technical Details

6.1

6.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI