CVE-2024-9266: 
JavaScript vulnerability analysis and mitigation

A URL Redirection to Untrusted Site ('Open Redirect') vulnerability has been identified in Express versions from 3.4.5 before 4.0.0, affecting the Express Response object. The vulnerability was discovered and disclosed on October 3, 2024, with a fix implemented on August 23, 2024 (HeroDevs).

The vulnerability exists in the response.js file within the Express package, specifically in the location() method of the response object. The vulnerability is triggered when three conditions are met: a request path begins with double slashes (//), a relative path for redirection begins with ./ and is provided from user-controlled input, and the Location header is set with that user-controlled input. The location() method extracts the path // and prepends it to the relative URL using the resolve() method, which evaluates the ./ and returns it as /, resulting in a URL like '///example.com'. Most browsers evaluate this as equivalent to //example.com, which is a valid scheme-relative-special-url (HeroDevs). The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N (NVD).

This vulnerability could be exploited to accomplish phishing attacks or redirect victims to malicious infection pages. When successfully exploited, it allows attackers to redirect users to arbitrary external URLs through user-controlled input (HeroDevs).

Express 3 has reached End-of-Life and will not receive direct updates to address this issue. Users of affected components should either migrate to a newer version of Express or leverage a commercial support partner like HeroDevs for post-EOL security support (HeroDevs).