CVE-2024-29041
Open Redirect vulnerability in express (npm)

Open Redirect No known exploit Fixable By Resolved Security

What is CVE-2024-29041 About?

This vulnerability is an Open Redirect flaw in Express.js versions prior to 4.19.2 and specific pre-release 5.0.0-beta versions. It allows attackers to bypass redirect allow lists using malformed URLs, leading to users being redirected to arbitrary malicious sites. Exploiting this flaw is relatively easy if an application uses affected Express.js versions to redirect user-controlled input.

Affected Software

  • express
    • >5.0.0-alpha.1, <5.0.0-beta.3
    • <4.19.2

Technical Details

The Open Redirect vulnerability in Express.js (affecting res.location() and res.redirect()) stems from the interaction between how Express encodes URLs using encodeurl before setting the location header, and how common redirect allow list implementations evaluate these URLs. A malformed URL, which might appear harmless or valid to a simple allow list check, is then encoded by Express. The encodeurl function, when combined with specific characters or structures in the malformed URL, can result in an encoded output that is interpreted differently by the browser or HTTP client than intended by the application's allow list. This discrepancy allows an attacker to craft a URL that, after Express's encoding, bypasses the allow list and redirects the user to an arbitrary external site.

What is the Impact of CVE-2024-29041?

Successful exploitation may allow attackers to redirect users to arbitrary untrusted websites, potentially enabling phishing attacks, credential harvesting, or the delivery of malware.

What is the Exploitability of CVE-2024-29041?

Exploitation involves crafting a malicious URL that, when passed through the affected Express.js application's redirect mechanism (e.g., res.redirect() or res.location()), bypasses any existing allow list validation. The complexity is low to moderate, as it requires understanding how encodeurl processes specific characters and how to construct a URL that triggers the bypass. No authentication or specific privileges are required on the part of the attacker, as they are typically providing a user-controlled URL as input (e.g., in a query parameter). This is a remote vulnerability, as the attacker sends the crafted URL to the web application. The primary risk factor is applications that rely on res.redirect() or res.location() with user-supplied input without robust pre-parsing and validation of the URL schemes and hosts.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-29041?

A Fix by Resolved Security Exists!
Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

The patch fixes CVE-2024-29041 by changing how URLs are encoded for the HTTP Location header, ensuring only the path/query portion (not the protocol/host) is encoded. This prevents dangerous backslash characters in the host section from being encoded as %5C, which could allow header-spoofing or host-header attacks. By only encoding after the host, the patch eliminates the ability to smuggle harmful sequences as part of the hostname, addressing the vulnerability.

Available Upgrade Options

  • express
    • <4.19.2 → Upgrade to 4.19.2
  • express
    • >5.0.0-alpha.1, <5.0.0-beta.3 → Upgrade to 5.0.0-beta.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-29041?

Similar Vulnerabilities: CVE-2023-38144 , CVE-2022-35914 , CVE-2021-42065 , CVE-2020-28203 , CVE-2019-10022

All Rights reserved 2025
Privacy Policy