Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-cm5g-3pgc-8rg4] A vulnerability has been identified in the Express... #5024

Open
wants to merge 1 commit into
base: axi92/advisory-improvement-5024
Choose a base branch
from

Conversation

axi92
Copy link

@axi92 axi92 commented Nov 20, 2024

Updates

  • Affected products
  • Summary

Comments
Add info from herodevs.com about version and package

@github-actions github-actions bot changed the base branch from main to axi92/advisory-improvement-5024 November 20, 2024 14:55
@darakian
Copy link
Contributor

Thanks for the PR @axi92. You don't happen to know if this has been fixed or not do you?

@axi92
Copy link
Author

axi92 commented Nov 21, 2024

I don't know how to validate it myself and there are mixed informations.
I caught it with auditjs that uses the sonatype ossindex.

[21/65] - pkg:npm/express@4.21.1 - 1 vulnerability found!

  Vulnerability Title:  [CVE-2024-10491] CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  ID:  CVE-2024-10491
  Description:  A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
  
  The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.
  
  This vulnerability is especially relevant for dynamic parameters.
  
  Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-10491 for details
  CVSS Score:  5.3
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  CVE:  CVE-2024-10491
  Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2024-10491?component-type=npm&component-name=express&utm_source=auditjs&utm_medium=integration&utm_content=4.0.46

But according to snyk it should be fixed in 4.x https://security.snyk.io/vuln/SNYK-JS-EXPRESS-8310337

I opened an issue asking in the express repo, they should know for sure.
https://github.com/expressjs/express/issues/6183

@darakian
Copy link
Contributor

I opened an issue asking in the express repo, they should know for sure.
https://github.com/expressjs/express/issues/6183

Hmmmm. That issue seems to have been deleted

@axi92
Copy link
Author

axi92 commented Nov 22, 2024

I tried to find an email to notify them but I was not able to find one in the express repo.

@darakian
Copy link
Contributor

darakian commented Nov 22, 2024

According to https://github.com/expressjs/express/blob/master/Security.md it seems they suggest emailing a lead dev.

I don't know how to validate it myself and there are mixed informations.

You're the author of https://www.herodevs.com/vulnerability-directory/cve-2024-10491 correct? Can you rerun your poc on newer versions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants