{"id":"AZL-44361","summary":"CVE-2024-29041 affecting package nodejs-nodemon 2.0.3-5","details":"Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.","modified":"2026-04-21T04:19:09.196965Z","published":"2024-03-25T21:15:46Z","upstream":["CVE-2024-29041"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29041"}],"affected":[{"package":{"name":"nodejs-nodemon","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/nodejs-nodemon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"2.0.3-5"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-44361.json"}}],"schema_version":"1.7.5"}