express vulnerable to XSS via response.redirect()

GHSA-qw6h-vgh9-j6wx · CVE-2024-43796

Published Sep 10, 2024 · Modified Feb 4, 2026

Description

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

References

WEB https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-43796
WEB https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553
PACKAGE https://github.com/expressjs/express

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes