CVE-2024-43799: send vulnerable to template injection that can lead to XSS

Published Sep 10, 2024
·
Updated

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect() 1. express MUST NOT redirect before the template appears 1. the browser MUST NOT complete redirection before: 1. the user MUST click on the link in the template

Other sources

pillarjs send is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

IBM

Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

NVD

send vulnerable to template injection that can lead to XSS

Microsoft

Affected Software

4 affected componentsFixes available
npm/send<0.19.0
0.19.0
Send Project Send Node.js<0.19.0
Microsoft cbl2 reaper 3.1.1-13
Patch available
Microsoft cbl2 reaper 3.1.1-18
Patch available

Remediation

Patch Available

https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35

Event History

Sep 10, 2024
CVE Published
via MITRE·02:45 PM
Data Sourced
via MITRE·02:45 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 PM
RemedyAffected Software
Data Sourced
via Red Hat·03:30 PM
DescriptionSeverityAffected Software
Advisory Published
via GitHub·07:42 PM
Oct 16, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Feb 4, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-43799?

CVE-2024-43799 is considered a moderate severity vulnerability due to the potential execution of untrusted code through user input.

2

How do I fix CVE-2024-43799?

To fix CVE-2024-43799, upgrade to version 0.19.0 or later of the 'send' package.

3

What causes CVE-2024-43799?

CVE-2024-43799 is caused by passing untrusted user input to the SendStream.redirect() function, which may lead to code execution.

4

Which versions of the 'send' package are affected by CVE-2024-43799?

CVE-2024-43799 affects all versions of the 'send' package before 0.19.0.

5

Is there a workaround for CVE-2024-43799 if I cannot upgrade?

If upgrading is not an option, ensure input is highly sanitized and thoroughly validated before being passed to SendStream.redirect().

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203