CVE-2024-29041

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Mar 25, 2024

Updated: Mar 26, 2024

CWE ID 601

CWE ID 1286

Summary

CVE-2024-29041 is a vulnerability affecting Express.js, a popular web framework for node, prior to version 4.19.0 and all alpha and beta versions of 5.0. The issue involves an open redirect vulnerability, where malformed URLs can bypass properly implemented allow lists in Express applications. This occurs due to the `encodeurl` function's handling of user-provided URLs, which can lead to unexpected evaluations and open redirects. The main functions impacted are `res.location()` and `res.redirect()`. Versions 4.19.2 and 5.0.0-beta.3 have since been released to address this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/vCBaHt
https://www.cve.org/CVERecord?id=CVE-2024-29041
https://nvd.nist.gov/vuln/detail/CVE-2024-29041

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

DRAT V2: Updated DRAT Emerges in TAG-140’s Arsenal

Threats to the 2025 NATO Summit

Artificial Eyes: Generative AI in China’s Military Intelligence

Know What Matters

For Customers

For Partners

CVE-2024-29041

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations