Skip to content

deps(renovate): update dependency serve-static to v1.16.0 [security]#854

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-serve-static-vulnerability
Open

deps(renovate): update dependency serve-static to v1.16.0 [security]#854
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-serve-static-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Sep 17, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
serve-static 1.15.01.16.0 age adoption passing confidence

serve-static vulnerable to template injection that can lead to XSS

CVE-2024-43800 / GHSA-cm22-4g7w-348p

More information

Details

Impact

passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code

Patches

this issue is patched in serve-static 1.16.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

expressjs/serve-static (serve-static)

v1.16.0

Compare Source

===================

  • Remove link renderization in html while redirecting

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (rebase) September 17, 2024 03:59
@renovate renovate Bot force-pushed the renovate/npm-serve-static-vulnerability branch from 4929823 to c10d7fd Compare January 2, 2025 07:06
@renovate renovate Bot changed the title deps(renovate): update dependency serve-static to v1.16.0 [security] deps(renovate): update dependency serve-static to v1.16.0 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
auto-merge was automatically disabled March 27, 2026 02:01

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-serve-static-vulnerability branch March 27, 2026 02:01
@renovate renovate Bot changed the title deps(renovate): update dependency serve-static to v1.16.0 [security] - autoclosed deps(renovate): update dependency serve-static to v1.16.0 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-serve-static-vulnerability branch 2 times, most recently from c10d7fd to 9078eaa Compare March 30, 2026 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants