Home > Vulnerability Database > CVE-2024-10491

Mend.io Vulnerability Database

CVE-2024-10491

Good to know:

Date: October 29, 2024

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in "Link" header values, which can allow a combination of characters like ",", ";", and "<>" to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.

Language: JS

Severity Score

4.0

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-10491

Url: https://github.com/expressjs/express/issues/6222

Url: https://www.herodevs.com/vulnerability-directory/cve-2024-10491

Url: https://github.com/expressjs/express

Url: https://www.mend.io/vulnerability-database/CVE-2024-10491

Severity Score

4.0

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version express - 4.0.0-rc1;express - 3.21.2-express-3.21.5

Learn More

CVSS v3.1

Base Score:	4.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-10491

Good to know:

Date: October 29, 2024

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?