-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency express to v4.19.2 [SECURITY] #605
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-express-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 3, 2024 15:02
373d775
to
9063da6
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
2 times, most recently
from
April 9, 2024 23:45
e35dcca
to
524aae7
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 23, 2024 00:30
524aae7
to
320e087
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 25, 2024 10:27
320e087
to
34ab5b7
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 25, 2024 23:34
34ab5b7
to
a48c034
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 29, 2024 12:50
a48c034
to
79fe43c
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 29, 2024 13:51
79fe43c
to
80ccbab
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 30, 2024 10:12
80ccbab
to
feffcea
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 30, 2024 17:09
feffcea
to
651526e
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
June 3, 2024 01:56
651526e
to
a04c721
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
June 11, 2024 01:16
a04c721
to
836fbdf
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
June 17, 2024 22:13
836fbdf
to
71a69e5
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
July 6, 2024 02:35
71a69e5
to
f806f3d
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
August 5, 2024 10:26
f806f3d
to
2599a48
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
August 22, 2024 00:21
2599a48
to
4b70450
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
August 23, 2024 20:03
4b70450
to
c8d5354
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
August 28, 2024 16:17
c8d5354
to
85451e1
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
September 4, 2024 09:37
85451e1
to
9d741d1
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
September 11, 2024 12:46
9d741d1
to
680c0b3
Compare
renovate
bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
September 12, 2024 13:18
680c0b3
to
667b808
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.18.2
->4.19.2
GitHub Vulnerability Alerts
CVE-2024-29041
Impact
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using
encodeurl
on the contents before passing it to thelocation
header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.The main method impacted is
res.location()
but this is also called from withinres.redirect()
.Patches
expressjs/express@0867302
expressjs/express@0b74695
An initial fix went out with
[email protected]
, we then patched a feature regression in4.19.1
and added improved handling for the bypass in4.19.2
.Workarounds
The fix for this involves pre-parsing the url string with either
require('node:url').parse
ornew URL
. These are steps you can take on your own before passing the user input string tores.location
orres.redirect
.References
https://github.com/expressjs/express/pull/5539
https://github.com/koajs/koa/issues/1800
https://expressjs.com/en/4x/api.html#res.location
Release Notes
expressjs/express (express)
v4.19.2
Compare Source
==========
v4.19.1
Compare Source
==========
v4.19.0
Compare Source
v4.18.3
Compare Source
==========
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.