generated from Real-Dev-Squad/website-template
-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency express to ~4.20.0 [security] #1993
Open
renovate
wants to merge
1
commit into
develop
Choose a base branch
from
renovate/npm-express-vulnerability
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
4 times, most recently
from
April 6, 2024 21:37
d4d6aa5
to
2ec6fac
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
3 times, most recently
from
April 17, 2024 15:40
e33c780
to
c6aac9e
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
3 times, most recently
from
April 26, 2024 06:29
c99e97e
to
41e34cd
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
5 times, most recently
from
May 11, 2024 06:41
7d9e5b6
to
ef76c54
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
2 times, most recently
from
May 16, 2024 14:12
d2f2128
to
b561e10
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
3 times, most recently
from
June 20, 2024 18:25
64d328e
to
6c9180b
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
2 times, most recently
from
July 5, 2024 09:02
c47821f
to
8012d73
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
July 11, 2024 01:08
8012d73
to
bd46e62
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
July 24, 2024 15:05
bd46e62
to
a5833bb
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
August 6, 2024 17:37
a5833bb
to
c3c2067
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
5 times, most recently
from
August 20, 2024 18:38
19d3f55
to
3714f15
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
7 times, most recently
from
October 28, 2024 17:05
1dc8be4
to
2031992
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
October 28, 2024 18:41
2031992
to
31f0a84
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
November 5, 2024 19:56
31f0a84
to
3ca41ff
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
5 times, most recently
from
November 21, 2024 08:32
e711cae
to
3b220d2
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
2 times, most recently
from
November 25, 2024 18:46
75d688b
to
9c97271
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
November 30, 2024 17:40
9c97271
to
b5d4be3
Compare
renovate
bot
changed the title
fix(deps): update dependency express to ~4.20.0 [security]
Update dependency express to ~4.20.0 [SECURITY]
Nov 30, 2024
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
9 times, most recently
from
December 5, 2024 19:23
cfb1894
to
aaebd93
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
December 6, 2024 12:47
aaebd93
to
0a15fcc
Compare
renovate
bot
changed the title
Update dependency express to ~4.20.0 [SECURITY]
fix(deps): update dependency express to ~4.20.0 [security]
Dec 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~4.18.3
->~4.20.0
GitHub Vulnerability Alerts
CVE-2024-29041
Impact
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using
encodeurl
on the contents before passing it to thelocation
header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.The main method impacted is
res.location()
but this is also called from withinres.redirect()
.Patches
expressjs/express@0867302
expressjs/express@0b74695
An initial fix went out with
[email protected]
, we then patched a feature regression in4.19.1
and added improved handling for the bypass in4.19.2
.Workarounds
The fix for this involves pre-parsing the url string with either
require('node:url').parse
ornew URL
. These are steps you can take on your own before passing the user input string tores.location
orres.redirect
.References
https://github.com/expressjs/express/pull/5539
https://github.com/koajs/koa/issues/1800
https://expressjs.com/en/4x/api.html#res.location
CVE-2024-43796
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to
response.redirect()
may execute untrusted codePatches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
Release Notes
expressjs/express (express)
v4.20.0
Compare Source
==========
depth
option to customize the depth level in the parserdepth
level for parsing URL-encoded data is now32
(previously wasInfinity
)res.redirect
\
,|
, and^
to align better with URL specoptions.maxAge
andoptions.expires
tores.clearCookie
v4.19.2
Compare Source
==========
v4.19.1
Compare Source
==========
v4.19.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.