Aikido Intel
Secure My Code
Intel

AIKIDO-2024-10412

express is vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')CVE-2024-10491 Published Nov 5, 2024

60

Medium Risk

This Affects:

jsexpress
3.0.0-alpha1 - 3.21.2
Fixed in 4.0.0
Are you affected? Scan for Free

TL;DR

A vulnerability has been identified in the Express response.links function, allowing arbitrary resource injection into the Link header when unsanitized data is used. The issue arises from improper sanitization of Link header values, which allows characters like ,, ;, and <> to preload malicious resources. This vulnerability is particularly concerning when dynamic parameters are involved.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

express is vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in versions 3.0.0-alpha1 - 3.21.2.

How to fix this

Upgrade the express library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done