CVE-2024-11831
Arbitrary Resource Injection vulnerability in serialize-javascript (npm)
What is CVE-2024-11831 About?
This vulnerability is an Arbitrary Resource Injection in the Express `response.links` function, allowing an attacker to inject malicious resources into the `Link` header. It arises from improper sanitization of characters like `,`, `;`, and `<>`, especially with dynamic parameters. Exploitation is relatively easy if unsanitized user data is used in the `Link` header.
Affected Software
Technical Details
The vulnerability lies in the Express framework's response.links function when unsanitized data is incorporated into the Link header. The function fails to properly validate and sanitize special characters such as commas (,), semicolons (;), and angle brackets (<>). An attacker can inject these characters, especially when dynamic parameters are used, to craft a Link header that includes malicious URLs or directives (e.g., preload, prefetch). For instance, an attacker could provide an input like example.com</malicious.css>,<http://evil.com/payload.js>;rel=preload which would cause the browser to attempt to preload evil.com/payload.js, leading to various client-side attacks or information disclosure.
What is the Impact of CVE-2024-11831?
Successful exploitation may allow attackers to perform Cross-Site Scripting (XSS), bypass Content Security Policies (CSPs), or force clients to download malicious resources, leading to client-side compromise or data exfiltration.
What is the Exploitability of CVE-2024-11831?
Exploitation is of low complexity and requires no authentication or special privileges. The attacker only needs to control input that is subsequently used to construct the Link header via the response.links function. This is a remote vulnerability, as the attacker sends a request or provides input that influences the server's response header. The primary constraint is that the application must use dynamic, unsanitized user input in the response.links function. The risk of exploitation is significantly higher in applications that dynamically generate Link headers, such as those that might link to user-uploaded content or provide user-configurable options affecting linked resources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-11831?
Available Upgrade Options
- serialize-javascript
- >6.0.0, <6.0.2 → Upgrade to 6.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-76p7-773f-r4q5
- https://access.redhat.com/security/cve/CVE-2024-11831
- https://bugzilla.redhat.com/show_bug.cgi?id=2312579
- https://access.redhat.com/errata/RHSA-2025:8479
- https://access.redhat.com/errata/RHSA-2025:8544
- https://access.redhat.com/errata/RHSA-2025:8551
- https://access.redhat.com/errata/RHSA-2025:1334
- https://access.redhat.com/security/cve/CVE-2024-11831
- https://bugzilla.redhat.com/show_bug.cgi?id=2312579
- https://access.redhat.com/errata/RHBA-2025:0304
What are Similar Vulnerabilities to CVE-2024-11831?
Similar Vulnerabilities: CVE-2023-36359 , CVE-2023-28155 , CVE-2022-35805 , CVE-2022-24765 , CVE-2021-39185
