CVE-2024-10491

NameCVE-2024-10491
DescriptionA vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-express (PTS)jessie, stretch4.1.1~dfsg-1vulnerable
buster4.16.4-1vulnerable
bullseye4.17.1-3vulnerable
bookworm4.18.2+~4.17.14-1vulnerable
sid, trixie4.21.0+~cs8.36.26-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-expresssourcejessie(unfixed)end-of-life
node-expresssourcestretch(unfixed)end-of-life
node-expresssourcebuster(unfixed)end-of-life
node-expresssource(unstable)(unfixed)

Notes

[bookworm] - node-express <no-dsa> (Minor issue)
[bullseye] - node-express <postponed> (Minor issue, no public patch)
https://www.herodevs.com/vulnerability-directory/cve-2024-10491
check details, affects only <=3.21.4, so possibly fixed in 4.1.1~dfsg-1 onwards
Search for package or bug name: Reporting problems