CVE-2024-43799: 
JavaScript vulnerability analysis and mitigation

CVE-2024-43799 affects the Send library, which is used for streaming files from the file system as an HTTP response. The vulnerability was discovered and disclosed on September 10, 2024, affecting all versions of Send prior to 0.19.0. The issue involves untrusted user input being passed to SendStream.redirect() which can lead to code execution (GitHub Advisory, NVD).

The vulnerability stems from a template injection issue that can potentially lead to XSS (Cross-Site Scripting). The CVSS v3.1 base score is 4.7 (Medium) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. GitHub's assessment gives it a slightly different score of 5.0 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L (NVD, GitHub Advisory).

The vulnerability allows an attacker to execute untrusted code through template injection, potentially leading to Cross-Site Scripting (XSS) attacks. The impact requires specific conditions to be met, including attacker control of the input to response.redirect(), Express not redirecting before the template appears, and user interaction in the form of clicking a link in the template (GitHub Advisory).

The vulnerability has been patched in Send version 0.19.0. For users unable to upgrade immediately, a workaround is available by ensuring any untrusted inputs are properly validated, ideally using an explicit allowlist. It is strongly recommended to upgrade to the patched version (GitHub Advisory).