CVE-2024-43800

serve-static affected by template injection that can lead to XSS

CVSS 5 MEDIUMEPSS 0.6%CWE-79

In short

A flaw in serve-static allows attackers to inject malicious code through specially crafted requests that bypass sanitization, potentially executing unauthorized scripts in users' browsers.

Technical detail

The vulnerability exists in the redirect() function's handling of user-supplied input; despite sanitization attempts, untrusted data can still be passed to redirect(), enabling template injection that leads to XSS execution. Attack vector is via HTTP requests with crafted redirect parameters; the vulnerability requires the attacker to control user input that reaches the redirect function. Impact includes arbitrary script execution in the context of the victim's browser session.

Summary generated and translated by AI from the official description.

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Affected products

expressjs · serve-static

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p