Express ressource injection

GHSA-cm5g-3pgc-8rg4 · CVE-2024-10491

Published Oct 29, 2024 · Modified Dec 19, 2024

Description

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.

The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources.

This vulnerability is especially relevant for dynamic parameters.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-10491
WEB https://github.com/expressjs/express/issues/6222
PACKAGE https://github.com/expressjs/express
WEB https://www.herodevs.com/vulnerability-directory/cve-2024-10491

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes