Static File Server Vulnerable to Command Injection
CVE-2024-43800

4.7MEDIUM

Key Information:

Vendor

Expressjs

Status
Serve-static
Vendor
CVE Published:
10 September 2024

What is CVE-2024-43800?

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

serve-static < 1.16.0 < 1.16.0

serve-static >= 2.0.0, < 2.1.0 < 2.0.0, 2.1.0

References

https://github.com/expressjs/serve-static/security/adviso...
x_refsource_CONFIRM
https://github.com/expressjs/serve-static/commit/0c11fad1...
x_refsource_MISC
https://github.com/expressjs/serve-static/commit/ce730896...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.