CVE-2014-6393
Cross-Site Scripting (XSS) vulnerability in express (npm)
What is CVE-2014-6393 About?
This vulnerability in vulnerable versions of express is a Cross-Site Scripting (XSS) via non-standard encodings like UTF-7. It occurs because the `Content-Type` header lacks a charset field for 400-level responses, allowing an attacker to leverage user browsers. Exploitation is complex, depending on browser behavior and specific encoding support.
Affected Software
- express
- <3.11.0
- >4.0.0, <4.5.0
Technical Details
Vulnerable versions of the express framework do not include a 'charset' field in the Content-Type header when delivering 400-level HTTP error responses. This omission means the user's browser may attempt to guess the encoding of the response. An attacker can craft a response (e.g., through a specific error trigger) that includes malicious script embedded using a non-standard encoding like UTF-7. If the browser interprets the response as UTF-7 (or another vulnerable encoding) due to the missing charset, the embedded script will be executed in the context of the user's domain, leading to a Cross-Site Scripting (XSS) attack.
What is the Impact of CVE-2014-6393?
Successful exploitation may allow attackers to execute arbitrary script code in the context of the victim's browser, steal sensitive information, perform actions on behalf of the victim, or deface web content.
What is the Exploitability of CVE-2014-6393?
Exploitation is of high complexity, as it relies on specific browser behavior regarding character set guessing and the ability to trigger a 400-level error with attacker-controlled content. It is a remote vulnerability, requiring the attacker to interact with the web application. Authentication requirements vary; sometimes the error can be triggered unauthenticated. The primary prerequisite is that the browser used by the victim supports and defaults to specific non-standard encodings (like UTF-7) when an explicit charset is missing. Risk factors include broad browser compatibility and specific server configurations that might inadvertently expose such behavior.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-6393?
Available Upgrade Options
- express
- <3.11.0 → Upgrade to 3.11.0
- express
- >4.0.0, <4.5.0 → Upgrade to 4.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nodesecurity.io/advisories/express-no-charset-in-content-type-header
- https://bugzilla.redhat.com/show_bug.cgi?id=1203190
- https://nvd.nist.gov/vuln/detail/CVE-2014-6393
- https://github.com/advisories/GHSA-gpvr-g6gh-9mc2
- https://www.npmjs.com/advisories/8
- https://bugzilla.redhat.com/show_bug.cgi?id=1203190
- https://osv.dev/vulnerability/GHSA-gpvr-g6gh-9mc2
What are Similar Vulnerabilities to CVE-2014-6393?
Similar Vulnerabilities: CVE-2016-10735 , CVE-2018-14041 , CVE-2019-11358 , CVE-2020-28498 , CVE-2021-32804
