CVE-2024-10491: Preload arbitrary resources by injecting additional `Link` headers

Published Oct 29, 2024
·
Updated

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.

The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources.

This vulnerability is especially relevant for dynamic parameters.

Affected Software

3 affected componentsFixes available
npm/express<=3.21.4
4.0.0-rc1
Openjsf Express Node.js<=3.21.4
Openjsf Express Node.js>=3.0.0<3.21.5

Event History

Oct 29, 2024
CVE Published
via MITRE·04:23 PM
Data Sourced
via MITRE·04:23 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:15 PM
DescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·06:30 PM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-10491?

CVE-2024-10491 is classified as a moderate severity vulnerability due to its potential for arbitrary resource injection.

2

How do I fix CVE-2024-10491?

To fix CVE-2024-10491, update to Express version 4.0.0-rc1 or later to ensure proper sanitization of Link header values.

3

What versions of Express are affected by CVE-2024-10491?

CVE-2024-10491 affects all versions of Express up to and including 3.21.4.

4

What are the consequences of exploiting CVE-2024-10491?

Exploiting CVE-2024-10491 can lead to security risks such as arbitrary resource injection through unsanitized Link header values.

5

Is CVE-2024-10491 related to any specific programming languages?

CVE-2024-10491 is related to Node.js applications that utilize the Express framework.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203