{"id":"CVE-2024-29041","summary":"Express.js Open Redirect in malformed URLs","details":"Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.","aliases":["GHSA-rv95-896h-c2vc"],"modified":"2026-04-02T10:10:00.430181Z","published":"2024-03-25T20:20:06.205Z","related":["CGA-r5vj-2cf3-hpwp"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29041.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-1286","CWE-601"]},"references":[{"type":"WEB","url":"https://expressjs.com/en/4x/api.html#res.location"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29041.json"},{"type":"ADVISORY","url":"https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29041"},{"type":"REPORT","url":"https://github.com/koajs/koa/issues/1800"},{"type":"FIX","url":"https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd"},{"type":"FIX","url":"https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94"},{"type":"FIX","url":"https://github.com/expressjs/express/pull/5539"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/expressjs/express","events":[{"introduced":"9375a9afa9d7baa814b454c7a6818a7471aaef00"},{"fixed":"084e36506a18774f85206a65d8da04dc1107fc1b"}],"database_specific":{"versions":[{"introduced":"4.14.0"},{"fixed":"4.19.0"}]}},{"type":"GIT","repo":"https://github.com/expressjs/express","events":[{"introduced":"4052c15c7f10b79fb7c54f3837ffe118f7a99811"},{"fixed":"cd7d79f92a7209b09aa9b065b0643c1bec55ed1d"}],"database_specific":{"versions":[{"introduced":"5.0.0-alpha.1"},{"fixed":"5.0.0-beta.3"}]}}],"versions":["4.14.0","4.14.1","4.15.0","4.15.1","4.15.2","4.15.3","4.15.4","4.15.5","4.16.0","4.16.1","4.16.2","4.16.3","4.16.4","4.17.0","4.17.1","4.17.2","4.17.3","4.18.0","4.18.1","4.18.2","4.18.3","5.0.0-alpha.1","5.0.0-alpha.2","5.0.0-alpha.3","5.0.0-alpha.4","5.0.0-alpha.5","5.0.0-alpha.6","5.0.0-alpha.7","5.0.0-alpha.8","5.0.0-beta.2","v5.0.0-beta.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29041.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}