CVE-2024-29041 vulnerability of Express.js

Question

CVE-2024-29041 vulnerability of Express.js

letitechera opened this issue 9 months ago · 1 comments

Description

Are you aware of the express.js malformed URLs vulnerability?

Ref: GHSA-rv95-896h-c2vc
Ref: https://nvd.nist.gov/vuln/detail/CVE-2024-29041

"Open Redirect: express is vulnerable to Open Redirect. The vulnerability is due to improper handling of user-provided URLs during redirection in Express.js, which performs encoding using the encodeurl library before passing it to the 'location' header. It allows bypass of properly implemented allow lists and leading to an Open Redirect vulnerability"

We are using express-rate-limit in its latest version, and Veracode reports this vulnerability.
Is there going to be a fix for this?

Library version

2.0.1

Node version

= 16

Typescript version (if you are using it)

No response

Module system

ESM

Answer 1 · 2024-04-03T14:13:37.000Z

Hi again,

Same comment as https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-37j3-pcpj-qqx8#advisory-comment-99556 - I don't see how express-slow-down is impacted by this vulnerability.

I don't believe express-slow-down uses the impacted res.location() and res.redirect() methods from express, and express-slow-down does not have a direct dependency on express, only a peerDependency, which means it will use whatever version you have installed. What am I missing?

(express-slow-down also uses express as a devDependency, but that shouldn't impact you.)