Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-7P99-3798-F85C
HistoryMar 31, 2022 - 10:44 p.m.

URL Redirection to Untrusted Site ('Open Redirect') in express-openid-connect

2022-03-3122:44:47
Google
osv.dev
10
url redirection
express-openid-connect
open redirect
middleware
vulnerability
upgrade

EPSS

0.001

Percentile

26.2%

JSON

Impact

Users of the requiresAuth middleware, either directly or through the default authRequired option, are vulnerable to an Open Redirect when the middleware is applied to a catch all route.

If all routes under example.com are protected with the requiresAuth middleware, a visit to http://example.com//google.com will be redirected to google.com after login because the original url reported by the Express framework is not properly sanitised.

Am I affected?

You are affected by this vulnerability if you are using the requiresAuth middleware on a catch all route or the default authRequired option and express-openid-connect version <=2.7.1.

How to fix that?

Upgrade to version >=2.7.2

Will this update impact my users?

The fix provided in the patch will not affect your users.

Related

prion 1
cve 1
cvelist 1
osv 1
nvd 1
github 1
prion
prion
Open redirect
2022-03-31 23:15:00
cve
cve
CVE-2022-24794
2022-03-31 23:15:08
cvelist
cvelist
CVE-2022-24794 Open Redirect in express-openid-connect
2022-03-31 22:45:14
osv
osv
CVE-2022-24794
2022-03-31 23:15:08
nvd
nvd
CVE-2022-24794
2022-03-31 23:15:08
github
github
URL Redirection to Untrusted Site ('Open Redirect') in express-openid-connect
2022-03-31 22:44:47

EPSS

0.001

Percentile

26.2%

JSON
Related for OSV:GHSA-7P99-3798-F85C
prion1cve1cvelist1osv1nvd1github1