This repository was archived by the owner on Mar 8, 2025. It is now read-only.
Description CVE-2024-43796 - Medium Severity Vulnerability
Vulnerable Libraries - express-4.18.1.tgz , express-4.18.2.tgz
express-4.18.1.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
platform-express-8.4.7.tgz (Root Library)
❌ express-4.18.1.tgz (Vulnerable Library)
express-4.18.2.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
swagger-ui-express-4.6.3.tgz (Root Library)
❌ express-4.18.2.tgz (Vulnerable Library)
Found in HEAD commit: 2359bd3c0ccc2623a654758aca77d8f8bc59e6a9
Found in base branch: master
Vulnerability Details
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Publish Date: 2024-09-10
URL: CVE-2024-43796
CVSS 3 Score Details (5.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-qw6h-vgh9-j6wx
Release Date: 2024-09-10
Fix Resolution (express): 4.20.0
Direct dependency fix Resolution (@nestjs/platform-express): 10.4.2
Fix Resolution (express): 4.20.0
Direct dependency fix Resolution (swagger-ui-express): 5.0.0
Step up your Open Source Security Game with Mend here
Reactions are currently unavailable
CVE-2024-43796 - Medium Severity Vulnerability
express-4.18.1.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
express-4.18.2.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 2359bd3c0ccc2623a654758aca77d8f8bc59e6a9
Found in base branch: master
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Publish Date: 2024-09-10
URL: CVE-2024-43796
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-qw6h-vgh9-j6wx
Release Date: 2024-09-10
Fix Resolution (express): 4.20.0
Direct dependency fix Resolution (@nestjs/platform-express): 10.4.2
Fix Resolution (express): 4.20.0
Direct dependency fix Resolution (swagger-ui-express): 5.0.0
Step up your Open Source Security Game with Mend here