CVE-2024-10491: 
JavaScript vulnerability analysis and mitigation

A vulnerability (CVE-2024-10491) has been identified in the Express response.links function, affecting Express versions 3.0.0-alpha1 through 3.21.4. The vulnerability allows for arbitrary resource injection in the Link header when unsanitized data is used. This security issue was discovered and disclosed on October 29, 2024, affecting the Express Node.js web application framework (HeroDevs Advisory, NVD).

The vulnerability stems from improper sanitization in Link header values, which can allow a combination of characters like commas, semicolons, and angle brackets to preload malicious resources. The issue is particularly concerning for dynamic parameters. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N by NIST, while HeroDevs assigned a score of 4.0 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N (NVD).

When exploited, this vulnerability could allow attackers to perform resource injection attacks through the Link header. The impact primarily affects the integrity of the application by allowing the injection of malicious resources through header manipulation (HeroDevs Advisory).

Express 3 has reached End-of-Life and will not receive official updates to address this issue. Users are advised to either migrate affected applications away from Express 3 or leverage a commercial support partner for post-EOL security support (HeroDevs Advisory).