CVE-2024-43800: serve-static affected by template injection that can lead to XSS
Impact
passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code
Patches
this issue is patched in serve-static 1.16.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
1. The attacker MUST control the input to response.redirect() 1. express MUST NOT redirect before the template appears 1. the browser MUST NOT complete redirection before: 1. the user MUST click on the link in the template
Other sources
serve-static affected by template injection that can lead to XSS
— Microsoft
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
— NVD
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-43800?
CVE-2024-43800 has been classified as a significant vulnerability due to the potential execution of untrusted code through improper handling of user input.
How do I fix CVE-2024-43800?
To address CVE-2024-43800, users must upgrade to serve-static version 1.16.0 or later.
What versions of serve-static are affected by CVE-2024-43800?
Versions of serve-static prior to 1.16.0 and between 2.0.0 and 2.1.0 are affected by CVE-2024-43800.
What are the workarounds for CVE-2024-43800?
The primary workaround for CVE-2024-43800 is to upgrade to the patched version of serve-static, though further mitigation strategies may depend on application context.
Which products are known to be affected by CVE-2024-43800?
IBM Controller versions up to 11.1.0 and IBM Cognos Controller versions up to 11.0.1 are known to be affected by CVE-2024-43800.