[GHSA-cm5g-3pgc-8rg4] A vulnerability has been identified in the Express...

[axi92]

Updates

• Affected products
• Summary

Comments
Add info from herodevs.com about version and package

[darakian]

Thanks for the PR @axi92. You don't happen to know if this has been fixed or not do you?

[axi92]

I don't know how to validate it myself and there are mixed informations.
I caught it with auditjs that uses the sonatype ossindex.

[21/65] - pkg:npm/[email protected] - 1 vulnerability found!

  Vulnerability Title:  [CVE-2024-10491] CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  ID:  CVE-2024-10491
  Description:  A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
  
  The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.
  
  This vulnerability is especially relevant for dynamic parameters.
  
  Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-10491 for details
  CVSS Score:  5.3
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  CVE:  CVE-2024-10491
  Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2024-10491?component-type=npm&component-name=express&utm_source=auditjs&utm_medium=integration&utm_content=4.0.46

But according to snyk it should be fixed in 4.x https://security.snyk.io/vuln/SNYK-JS-EXPRESS-8310337

I opened an issue asking in the express repo, they should know for sure.
https://github.com/expressjs/express/issues/6183

[darakian]

I opened an issue asking in the express repo, they should know for sure.
https://github.com/expressjs/express/issues/6183

Hmmmm. That issue seems to have been deleted

[axi92]

I tried to find an email to notify them but I was not able to find one in the express repo.

[darakian]

According to https://github.com/expressjs/express/blob/master/Security.md it seems they suggest emailing a lead dev.

I don't know how to validate it myself and there are mixed informations.

You're the author of https://www.herodevs.com/vulnerability-directory/cve-2024-10491 correct? Can you rerun your poc on newer versions?

[axi92]

Yes but I was not able to find the mail of the lead dev.

No I am not the author, and I tried the poc on different versions with everytime the same result.
I am just using express as a dependency from another package.

[darakian]

I see. Well failing more independent review I guess I'll merge this as is. Thanks for the PR 👍

[advisory-database]

Hi @axi92! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!