📂 Vulnerable Library - express-4.16.4.tgz
Fast, unopinionated, minimalist web framework
Path to dependency file: /package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-275296-826791 |
🟣 Critical |
9.8 |
N/A |
N/A |
qs-6.5.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-587792-470342 |
🟣 Critical |
9.8 |
N/A |
N/A |
on-finished-2.3.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-24999 |
🔴 High |
8.7 |
Not Defined |
3.1% |
qs-6.5.2.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2024-10491 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
express-4.16.4.tgz |
Direct |
express - 4.0.0-rc1,express - 4.0.0-rc1 |
✅ |
|
Details
🟣CVE-275296-826791
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-275296-826791
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-587792-470342
Vulnerable Library - on-finished-2.3.0.tgz
Execute a callback when a request closes, finishes, or errors
Library home page: https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
express-4.16.4.tgz (Root Library)
- ❌ on-finished-2.3.0.tgz (Vulnerable Library)
-
helmet-2.3.0.tgz (Root Library)
- connect-3.4.1.tgz
- finalhandler-0.4.1.tgz
- ❌ on-finished-2.3.0.tgz (Vulnerable Library)
-
body-parser-1.18.3.tgz (Root Library)
- ❌ on-finished-2.3.0.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-587792-470342
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
- owasp-nodejs-goat-1.3.0/server.js (Application)
- body-parser-1.18.3/index.js (Extension)
- body-parser-1.18.3/lib/types/urlencoded.js (Extension)
- qs-6.5.2/lib/index.js (Extension)
- qs-6.5.2/lib/stringify.js (Extension)
-> ❌ qs-6.5.2/lib/utils.js (Vulnerable Component)
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 26, 2022 12:00 AM
URL: CVE-2022-24999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hrpp-h998-j3pp
Release Date: Nov 26, 2022 12:00 AM
Fix Resolution : qs - 6.6.1,qs - 6.10.3,qs - 6.2.4,qs - 6.8.3,qs - 6.3.3,qs - 6.4.1,qs - 6.7.3,qs - 6.5.3,qs - 6.9.7
🟠CVE-2024-10491
Vulnerable Library - express-4.16.4.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.16.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ express-4.16.4.tgz (Vulnerable Library)
Vulnerability Details
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in "Link" header values, which can allow a combination of characters like ",", ";", and "<>" to preload malicious resources.
This vulnerability is especially relevant for dynamic parameters.
Publish Date: Oct 29, 2024 04:23 PM
URL: CVE-2024-10491
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-cm5g-3pgc-8rg4
Release Date: Oct 29, 2024 04:23 PM
Fix Resolution : express - 4.0.0-rc1,express - 4.0.0-rc1
📂 Vulnerable Library - express-4.16.4.tgz
Fast, unopinionated, minimalist web framework
Path to dependency file: /package.json
Findings
Details
🟣CVE-275296-826791
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
express-4.16.4.tgz (Root Library)
body-parser-1.18.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-275296-826791
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-587792-470342
Vulnerable Library - on-finished-2.3.0.tgz
Execute a callback when a request closes, finishes, or errors
Library home page: https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
express-4.16.4.tgz (Root Library)
helmet-2.3.0.tgz (Root Library)
body-parser-1.18.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-587792-470342
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
express-4.16.4.tgz (Root Library)
body-parser-1.18.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 26, 2022 12:00 AM
URL: CVE-2022-24999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hrpp-h998-j3pp
Release Date: Nov 26, 2022 12:00 AM
Fix Resolution : qs - 6.6.1,qs - 6.10.3,qs - 6.2.4,qs - 6.8.3,qs - 6.3.3,qs - 6.4.1,qs - 6.7.3,qs - 6.5.3,qs - 6.9.7
🟠CVE-2024-10491
Vulnerable Library - express-4.16.4.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.16.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in "Link" header values, which can allow a combination of characters like ",", ";", and "<>" to preload malicious resources.
This vulnerability is especially relevant for dynamic parameters.
Publish Date: Oct 29, 2024 04:23 PM
URL: CVE-2024-10491
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-cm5g-3pgc-8rg4
Release Date: Oct 29, 2024 04:23 PM
Fix Resolution : express - 4.0.0-rc1,express - 4.0.0-rc1