{"id":"AZL-43690","summary":"CVE-2024-29041 affecting package nodejs-nodemon 2.0.3-4","details":"Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.","modified":"2026-04-21T04:31:06.862044Z","published":"2024-03-25T21:15:46Z","upstream":["CVE-2024-29041"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29041"}],"affected":[{"package":{"name":"nodejs-nodemon","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/nodejs-nodemon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"2.0.3-4"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-43690.json"}}],"schema_version":"1.7.5"}