Express ressource injection
Moderate severity
GitHub Reviewed
Published
Oct 29, 2024
to the GitHub Advisory Database
•
Updated Dec 19, 2024
Description
Published by the National Vulnerability Database
Oct 29, 2024
Published to the GitHub Advisory Database
Oct 29, 2024
Reviewed
Nov 25, 2024
Last updated
Dec 19, 2024
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in
Link
header values, which can allow a combination of characters like,
,;
, and<>
to preload malicious resources.This vulnerability is especially relevant for dynamic parameters.
References