MEDIUM · CVSS 6.1
CVE-2024-43796 — Express open redirect
An open-redirect issue in Express's `res.location()` + `res.redirect()` let attacker-supplied input control the target of a redirect, enabling phishing campaigns that appear to originate from the trusted app.
Affects
- express < 4.20.0
What an attacker does
The attacker crafts a URL like `https://yourapp.com/go?to=evil.com`. If your app passes `req.query.to` to `res.redirect()` without validation, the user is sent to evil.com from a URL bar that displayed yourapp.com a moment earlier.
How to detect
Search for `res.redirect(req.` / `res.location(req.` in your codebase.
How to fix
Upgrade Express to 4.20.0+. Separately, never pass untrusted input directly to redirect — allowlist targets or use signed tokens.
How Securie catches it
Securie's taint analyzer traces user input into redirect sinks.