CVE-2024-43800

Published: Sep 10, 2024

Modified: Sep 10, 2024

PUBLISHED

CVSS v3.1

5.0

MEDIUM

Description

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

Vendor	Product	Versions
expressjs	serve-static	affected `< 1.16.0` affected `>= 2.0.0, < 2.1.0`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p

x_refsource_CONFIRM

https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b

x_refsource_MISC

https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-43800

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References