-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
blog: security patches for Sep 24 #1607
Draft
UlisesGascon
wants to merge
16
commits into
gh-pages
Choose a base branch
from
blog/sep-24-sec
base: gh-pages
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
72cf657
blog: security patches for Sep 24
UlisesGascon 6f9da33
Update _posts/2024-09-30-security-releases.md
UlisesGascon 38be5cb
Update _posts/2024-09-30-security-releases.md
UlisesGascon 196227f
Update _posts/2024-09-30-security-releases.md
UlisesGascon 528ffb2
Update _posts/2024-09-30-security-releases.md
UlisesGascon 739dfb9
Update _posts/2024-09-30-security-releases.md
UlisesGascon f98c2ae
Update _posts/2024-09-30-security-releases.md
UlisesGascon 735cf6b
Update _posts/2024-09-30-security-releases.md
UlisesGascon 1354be5
Update _posts/2024-09-30-security-releases.md
UlisesGascon 7188093
Update _posts/2024-09-30-security-releases.md
UlisesGascon e24bf31
Update _posts/2024-09-30-security-releases.md
UlisesGascon 82fc865
Update _posts/2024-09-30-security-releases.md
UlisesGascon 13a4f57
Update _posts/2024-09-30-security-releases.md
UlisesGascon aed825d
Update _posts/2024-09-30-security-releases.md
UlisesGascon 432dfce
Update _posts/2024-09-30-security-releases.md
UlisesGascon 9f536e1
Update _posts/2024-09-30-security-releases.md
UlisesGascon File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
--- | ||
title: September 2024 Security Releases! | ||
tags: security, vulnerabilities | ||
author: Ulises gascón | ||
--- | ||
|
||
Recently, the Express team has been made aware of a number of security vulnerabilities in the Express project. We have released a number of patches to address these vulnerabilities. We strongly recommend that all users of Express upgrade to the latest version as soon as possible. The following vulnerabilities have been addressed: | ||
|
||
|
||
## CVE-2024-45590 (High) in `body-parser` | ||
|
||
**[body-parser](https://www.npmjs.com/package/body-parser) vulnerable to denial of service when url encoding is enabled** | ||
|
||
body-parser `<1.20.3` is vulnerable to denial of service when url encoding is enabled. a malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. | ||
|
||
|
||
**Affected versions** | ||
- `<1.20.3` | ||
|
||
**Patched versions** | ||
- `>=1.20.3` | ||
|
||
This vulnerability was discovered during the [OSTIF audit to Express](https://github.com/expressjs/security-wg/issues/6) and was mitigated by [the Express Securty triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team). | ||
|
||
More details area available in [GHSA-qwcr-r2fm-qrc7](https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7) | ||
|
||
|
||
|
||
## CVE-2024-43796 (moderate) in `express` | ||
|
||
**[express](https://www.npmjs.com/package/express) vulnerable to XSS via `response.redirect()`** | ||
|
||
In express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code. | ||
|
||
**Affected versions** | ||
- `<4.20.0` | ||
- `>=5.0.0-alpha.1`, `<5.0.0` | ||
|
||
**Patched versions** | ||
- `>=4.20.0` | ||
- `>=5.0.0` | ||
|
||
|
||
This vulnerability was discovered during the [OSTIF audit to Express](https://github.com/expressjs/security-wg/issues/6) and was mitigated by [the Express Securty triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team). | ||
|
||
More details area available in [GHSA-qw6h-vgh9-j6wx](https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx) | ||
|
||
|
||
## CVE-2024-43799 (moderate) in `send`. | ||
|
||
**[send](https://www.npmjs.com/package/send) is vulnerable to template injection that can lead to XSS** | ||
|
||
Passing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code | ||
|
||
|
||
**Affected versions** | ||
- `< 0.19.0` | ||
|
||
**Patched versions** | ||
- `>=0.19.0` | ||
|
||
This vulnerability was discovered during the [OSTIF audit to Express](https://github.com/expressjs/security-wg/issues/6) and was mitigated by [the Express Securty triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team). | ||
|
||
More details area available in [GHSA-m6fv-jmcg-4jfg](https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg) | ||
|
||
|
||
## CVE-2024-43800 (moderate) in `serve-static` | ||
|
||
**[serve-static](https://www.npmjs.com/package/serve-static) vulnerable to template injection that can lead to XSS** | ||
|
||
Passing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code. | ||
|
||
**Affected versions** | ||
- `< 1.16.0` | ||
- `>=2.0.0`, `<2.1.0` | ||
|
||
**Patched versions** | ||
- `>=1.16.0` | ||
- `>=2.1.0` | ||
|
||
This vulnerability was discovered during the [OSTIF audit to Express](https://github.com/expressjs/security-wg/issues/6) and was mitigated by [the Express Securty triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team). | ||
|
||
More details area available in [GHSA-cm22-4g7w-348p](https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p) | ||
|
||
|
||
## CVE-2024-45296 (moderate) in `path-to-regexp` | ||
|
||
**[path-to-regexp](https://www.npmjs.com/package/path-to-regexp) vulnerable to regular expression denial of service (ReDoS)** | ||
|
||
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`. | ||
|
||
|
||
Using `/:a-:b` will produce the regular expression `/^\/([^\/]+?)-([^\/]+?)\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`. | ||
|
||
Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms. | ||
|
||
**Affected versions** | ||
- `>=4.0.0`, `<8.0.0` | ||
- `>=0.2.0`, `<1.9.0` | ||
- `<0.1.10` | ||
- `>=2.0.0`, `<3.3.0` | ||
|
||
|
||
**Patched versions** | ||
- `8.0.0` | ||
- `1.9.0` | ||
- `0.1.10` | ||
- `3.3.0` | ||
Comment on lines
+104
to
+108
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. these versions should be fixed to provide appropriate version ranges between the different majors. |
||
|
||
|
||
Thanks to [Blake Embrey](https://github.com/blakeembrey) who reported and created the security patch. | ||
|
||
|
||
More details area available in [GHSA-9wv6-86v2-598j](https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j) | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add the 'description' metadata? The page now supports that function.