3 matches found
CVE-2022-24999
CVE-2022-24999 affects the qs library prior to 6.10.3 used by Express before 4.17.3, enabling prototype poisoning via a[proto ] in query strings that can hang a Node process. An unauthenticated remote attacker can place the payload in the URL query. The advisory notes backported fixes to qs versi...
CVE-2024-29041
CVE-2024-29041 – Open Redirect in Express.js . Express.js versions prior to 4.19.0 and all pre-release 5.0 alpha/beta are affected by an open redirect via user-provided redirect URLs. The flaw stems from encodeurl usage in res.location()/res.redirect(), allowing bypass of allowlists in redirectio...
CVE-2024-43796
CVE-2024-43796 : Express.js (Node) vulnerable in versions prior to 4.20.0 where untrusted input passed to response.redirect() can lead to execution of untrusted code. This is mitigated by upgrading to Express.js 4.20.0 or newer; the issue is categorized under a cross-site scripting concern in the...