CVE-2024-43800: 
JavaScript vulnerability analysis and mitigation

CVE-2024-43800 affects serve-static, a package that serves static files. The vulnerability was discovered and disclosed on September 10, 2024. The issue allows potential execution of untrusted code through passing sanitized yet untrusted user input to the redirect() function. The vulnerability affects serve-static versions prior to 1.16.0 and versions from 2.0.0 to 2.1.0 (excluding 2.1.0) (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in the redirect functionality where even sanitized user input passed to redirect() could potentially lead to code execution (NVD).

Successful exploitation of this vulnerability requires specific conditions: the attacker must control the input to response.redirect(), express must not redirect before the template appears, and the user must click on the link in the template before the browser completes redirection. The impact includes potential unauthorized code execution with low confidentiality and integrity impacts (GitHub Advisory).

The vulnerability has been patched in serve-static version 1.16.0 and 2.1.0. Users are encouraged to upgrade to the patched versions. As a workaround, users should ensure any untrusted inputs are safe by validating them against an explicit allowlist (GitHub Advisory).