AIKIDO-2024-10412

express is vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Medium

express js

AIKIDO-2024-10412: express is vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in versions 3.0.0-alpha1 - 3.21.2.

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Vuln in 3.0.0-alpha1 - 3.21.2

Fixed in 4.0.0

CVE-2024-10491

TL;DR

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.

Who does this affect?

You're affected if you are using a version which is within vulnerability ranges.

How can it be fixed?

Upgrade express library to patch version.

Background info

Link to vendor website

🇪🇺 Grauwpoort 1, 9000 Ghent, Belgium

🇺🇸 95 Third St, 2nd Fl, San Francisco, CA 94103, US

AIKIDO-2024-10412

express is vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

express js

AIKIDO-2024-10412: express is vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in versions 3.0.0-alpha1 - 3.21.2.

Don’t be left in the dark