{"id":"AZL-37137","summary":"CVE-2024-29041 affecting package reaper for versions less than 3.1.1-9","details":"Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.","modified":"2026-04-21T04:28:13.669494Z","published":"2024-03-25T21:15:46Z","upstream":["CVE-2024-29041"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29041"}],"affected":[{"package":{"name":"reaper","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/reaper"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.1-9"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-37137.json"}}],"schema_version":"1.7.5"}