Bug 2290901 (CVE-2024-29041) - CVE-2024-29041 express: cause malformed URLs to be evaluated
Summary: CVE-2024-29041 express: cause malformed URLs to be evaluated
Keywords:
Status: NEW
Alias: CVE-2024-29041
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2290907 2290908 2290910 2290914 2290915 2290916 2290921 2290922 2290923 2290925 2290952 2308719 2308720 2308721 2308722 2308723 2308724 2308727 2308729 2308731 2308732 2308733 2308734 2308735 2308736 2308737 2308738 2308739 2308740 2308741 2308742 2308743 2290905 2290906 2290909 2290911 2290912 2290913 2290917 2290918 2290919 2290920 2290924 2290926 2290949 2308725 2308726 2308728 2308730
Blocks: 2290904
TreeView+ depends on / blocked
 
Reported: 2024-06-07 17:09 UTC by Rohit Keshri
Modified: 2024-10-03 11:23 UTC (History)
184 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Express.js minimalist web framework for node. Versions of Express.js before 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL, Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This issue can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()`, but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3868 0 None None None 2024-06-17 00:44:42 UTC
Red Hat Product Errata RHSA-2024:4873 0 None None None 2024-07-25 15:05:18 UTC
Red Hat Product Errata RHSA-2024:7164 0 None None None 2024-09-26 03:47:23 UTC
Red Hat Product Errata RHSA-2024:7624 0 None None None 2024-10-03 11:22:59 UTC

Description Rohit Keshri 2024-06-07 17:09:03 UTC
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

https://expressjs.com/en/4x/api.html#res.location
https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd
https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94
https://github.com/expressjs/express/pull/5539
https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc
https://github.com/koajs/koa/issues/1800

Comment 2 Rohit Keshri 2024-06-07 18:42:41 UTC
Created cachelib tracking bugs for this issue:

Affects: fedora-all [bug 2290905]


Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2290906]
Affects: fedora-all [bug 2290911]


Created cldr-emoji-annotation tracking bugs for this issue:

Affects: fedora-all [bug 2290912]


Created fbthrift tracking bugs for this issue:

Affects: fedora-all [bug 2290913]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2290907]


Created golang-github-task tracking bugs for this issue:

Affects: fedora-all [bug 2290914]


Created h3 tracking bugs for this issue:

Affects: fedora-all [bug 2290915]


Created magicmirror tracking bugs for this issue:

Affects: fedora-all [bug 2290916]


Created obs-cef tracking bugs for this issue:

Affects: fedora-all [bug 2290917]


Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 2290918]


Created python-socketio tracking bugs for this issue:

Affects: fedora-all [bug 2290919]


Created qpid-dispatch tracking bugs for this issue:

Affects: epel-all [bug 2290908]
Affects: fedora-all [bug 2290920]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2290921]


Created qt6-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2290922]


Created rstudio tracking bugs for this issue:

Affects: fedora-all [bug 2290923]


Created seamonkey tracking bugs for this issue:

Affects: epel-all [bug 2290909]
Affects: fedora-all [bug 2290924]


Created trivy tracking bugs for this issue:

Affects: fedora-all [bug 2290925]


Created yarnpkg tracking bugs for this issue:

Affects: epel-all [bug 2290910]
Affects: fedora-all [bug 2290926]

Comment 10 errata-xmlrpc 2024-06-17 00:44:33 UTC
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868

Comment 13 errata-xmlrpc 2024-07-25 15:05:09 UTC
This issue has been addressed in the following products:

  Red Hat build of Apicurio Registry 2.6.1 GA

Via RHSA-2024:4873 https://access.redhat.com/errata/RHSA-2024:4873

Comment 15 errata-xmlrpc 2024-09-26 03:47:14 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164

Comment 17 errata-xmlrpc 2024-10-03 11:22:49 UTC
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2024:7624 https://access.redhat.com/errata/RHSA-2024:7624


Note You need to log in before you can comment on or make changes to this bug.