Intel/AIKIDO-2024-10254
serve-static
AIKIDO-2024-10254
serve-static is vulnerable to Cross-site Scripting (XSS)
Cross-site Scripting (XSS)CVE-2024-43800 Published Sep 11, 2024
20
Low Risk
This Affects:
serve-static1.3.0 - 1.15.0
Fixed in 1.16.02.0.0 - 2.0.0
Fixed in 2.1.0Are you affected? Scan for Free
TL;DR
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via the redirect function due to improper sanitization of user input.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
serve-static is vulnerable to Cross-site Scripting (XSS) in versions 1.3.0 - 1.15.0 and 2.0.0 - 2.0.0.
How to fix this
Upgrade the serve-static library to the patch version.
Links
GitHub Release
Fix Commits
github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6bhttps://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b
github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fahttps://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
Resources
Industries
Use Cases
Compare
© 2026 Aikido Security BV | BE0792914919
Keizer Karelstraat 15, 9000, Ghent, Belgium
95 Third St, 2nd Fl, San Francisco, CA 94103, US
Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK
Ghent, Belgium | San Francisco, US
SOC 2Compliant
ISO 27001Compliant