5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-43796

GHSA ID

GHSA-qw6h-vgh9-j6wx

EPSS Score

0.18184%

CWE

CWE-79

Published

9/10/2024

Updated

11/18/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-43796

CVE-2024-43796: express vulnerable to XSS via response.redirect()

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

(GitHub Advisory)

5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-43796

GHSA ID

GHSA-qw6h-vgh9-j6wx

EPSS Score

0.18184%

CWE

CWE-79

Published

9/10/2024

Updated

11/18/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
express	npm	< 4.20.0	4.20.0
express	npm	>= 5.0.0-alpha.1, < 5.0.0	5.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in how the res.redirect function in lib/response.js constructs the HTML body for redirection. The commit 54271f69b511fea198471e6ff3400ab805d6b553 directly modifies this function. The patch_evidence clearly shows the removal of the vulnerable anchor tag (<a href="' + u + '">' + u + '</a>) which was the source of the XSS. The variable u represents the user-provided URL. The test file test/res.redirect.js also adds a specific test case for XSS in res.redirect, further confirming that this function was the site of the vulnerability. The description states "passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code", directly implicating response.redirect().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In *xpr*ss <*.**.*, p*ssin* untrust** us*r input - *v*n **t*r s*nitizin* it - to `r*spons*.r**ir**t()` m*y *x**ut* untrust** *o** ### P*t***s t*is issu* is p*t**** in *xpr*ss *.**.* ### Work*roun*s us*rs *r* *n*our**** to up*r*** to t

Reasoning

T** vuln*r**ility li*s in *ow t** `r*s.r**ir**t` *un*tion in `li*/r*spons*.js` *onstru*ts t** *TML *o*y *or r**ir**tion. T** *ommit `****************************************` *ir**tly mo*i*i*s t*is *un*tion. T** `p*t**_*vi**n**` *l**rly s*ows t** r*m

5

Basic Information

Concerned about an active attack path?

CVE-2024-43796: express vulnerable to XSS via response.redirect()

Impact

Patches

Workarounds

Details

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI