Skip to content

fix: express: cause malformed URLs to be evaluated#1

Merged
galanko merged 1 commit into
masterfrom
opensec/fix/express-cve-2024-29041
May 15, 2026
Merged

fix: express: cause malformed URLs to be evaluated#1
galanko merged 1 commit into
masterfrom
opensec/fix/express-cve-2024-29041

Conversation

@galanko
Copy link
Copy Markdown

@galanko galanko commented May 14, 2026

Summary

Automated remediation for trivy finding: express: cause malformed URLs to be evaluated (CVE-2024-29041)

Changes

  • Updated express dependency from ^4.13.4 to ^4.19.2 in package.json
  • Ran npm install to resolve dependencies and install patched version (installed 4.22.2, which includes the fix)
  • Verified package-lock.json reflects the updated express version
  • Confirmed existing test suite completes without errors
  • Validated that CVE-2024-29041 vulnerability is no longer reported in npm audit

Details

Vulnerability: Express.js Open Redirect via Malformed URL Encoding (CVE-2024-29041)

  • Severity: MEDIUM (CVSS 6.1)
  • Affected versions: < 4.19.0
  • Fixed in: 4.19.2 and 5.0.0-beta.3

This vulnerability allows open redirect attacks via malformed URLs in Express.js applications that use the res.location() or res.redirect() methods with user-provided URLs. The fix ensures proper URL encoding that cannot be bypassed by redirect allow list implementations.

Impact

  • No code changes required
  • No breaking changes
  • All existing functionality preserved
  • Security enhancement with backward-compatible patch update

Generated by OpenSec remediation agent

@galanko
fix: express: cause malformed URLs to be evaluated
f6d1701 
Remediate CVE-2024-29041 by updating express from ^4.13.4 to ^4.19.2.

This fixes an open redirect vulnerability in Express.js versions prior to 4.19.0
where malformed URLs could be evaluated in unexpected ways by redirect allow list
implementations, potentially bypassing security controls.

The vulnerability affects the res.location() and res.redirect() methods.
Express 4.19.2 and later include the security fix for this issue.

No code changes required - this is a safe dependency version bump that maintains
full backward compatibility while fixing the CVE-2024-29041 vulnerability.
@galanko galanko marked this pull request as ready for review May 15, 2026 12:36
@galanko galanko merged commit c84a37e into master May 15, 2026
@galanko galanko deleted the opensec/fix/express-cve-2024-29041 branch May 15, 2026 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@galanko