{"id":"UBUNTU-CVE-2024-10491","details":"A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `\u003c\u003e` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.","modified":"2026-01-30T01:37:39.789171Z","published":"2024-10-29T17:15:00Z","withdrawn":"2025-06-23T15:57:35Z","related":["CVE-2024-10491"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-10491"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-10491"},{"type":"REPORT","url":"https://www.herodevs.com/vulnerability-directory/cve-2024-10491"}],"affected":[{"package":{"name":"node-express","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/node-express@4.1.1~dfsg-1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.1.1~dfsg-1"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-10491.json"}},{"package":{"name":"node-express","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/node-express@4.1.1~dfsg-1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.1.1~dfsg-1"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-10491.json"}},{"package":{"name":"node-express","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/node-express@4.17.1-2?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.17.1-1","4.17.1-2"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-10491.json"}},{"package":{"name":"node-express","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/node-express@4.17.3+~4.17.13-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.17.1-3","4.17.1+~cs4.17.13-1","4.17.2+~4.17.13-1","4.17.3+~4.17.13-1"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-10491.json"}},{"package":{"name":"node-express","ecosystem":"Ubuntu:24.10","purl":"pkg:deb/ubuntu/node-express@4.19.2+~cs8.36.26-1?arch=source&distro=oracular"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.19.2+~cs8.36.21-1","4.19.2+~cs8.36.26-1"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-10491.json"}},{"package":{"name":"node-express","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/node-express@4.19.2+~cs8.36.21-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.18.2+~cs8.34.50-1","4.19.2+~cs8.36.21-1"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-10491.json"}},{"package":{"name":"node-express","ecosystem":"Ubuntu:25.04","purl":"pkg:deb/ubuntu/node-express@4.21.0+~cs8.36.26-2?arch=source&distro=plucky"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.19.2+~cs8.36.26-1","4.21.0+~cs8.36.26-2"],"ecosystem_specific":{"ubuntu_priority":"medium"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-10491.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}