Skip to main content

Express CVE-2024-10491

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2024-10-29 36c7be3b-2937-45df-85ea-ca7133ea542c
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 29, 2024 - 17:15 nvd
MEDIUM 5.3

DescriptionNVD

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.

The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources.

This vulnerability is especially relevant for dynamic parameters.

AnalysisAI

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-74. A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources. This vulnerability is especially relevant for dynamic parameters. Affected products include: Openjsf Express.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-24999 HIGH POC
7.5 Nov 26

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for

CVE-2026-47370 CRITICAL
9.9 Jun 12

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra

CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2025-48997 HIGH
8.7 Jun 03

Denial of Service vulnerability in Multer (Node.js multipart form-data middleware) affecting versions 1.4.4-lts.1 throug

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

CVE-2025-67731 HIGH
7.5 Dec 12

Servify Express, a Node.js package for starting Express servers, contains a denial of service vulnerability caused by th

CVE-2014-6393 MEDIUM
6.1 Aug 09

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Ty

CVE-2024-29041 MEDIUM
6.1 Mar 25

Express.js minimalist web framework for node. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitab

CVE-2014-6887 MEDIUM
5.4 Oct 11

The EXPRESS (aka com.gpshopper.express.android) application 2.5.3 for Android does not verify X.509 certificates from SS

CVE-2026-27508 MEDIUM
5.1 Mar 30

Reflected cross-site scripting (XSS) in Smoothwall Express versions before 3.1 Update 13 allows unauthenticated remote a

CVE-2026-26352 MEDIUM
5.1 Mar 30

Stored cross-site scripting in Smoothwall Express prior to version 3.1 Update 13 allows authenticated attackers to injec

CVE-2024-43796 MEDIUM
4.7 Sep 10

Express.js minimalist web framework for node. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitab

Share

CVE-2024-10491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy