What is GHSA-qw6h-vgh9-j6wx?

express vulnerable to XSS via response.redirect() This vulnerability has been assigned a severity rating of LOW.

How do I check if my project is affected by GHSA-qw6h-vgh9-j6wx?

Use GeekWala's free vulnerability scanner to check your dependencies against GHSA-qw6h-vgh9-j6wx and 200,000+ other known vulnerabilities. Upload your package.json, requirements.txt, or other dependency file to get instant results.

GHSA-qw6h-vgh9-j6wx

LOW

express vulnerable to XSS via response.redirect()

Published September 10, 2024Updated February 4, 2026Source: osv

Details

### Impact In express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code ### Patches this issue is patched in express 4.20.0 ### Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist ### Details successful exploitation of this vector requires the following: 1. The attacker MUST control the input to response.redirect() 1. express MUST NOT redirect before the template appears 1. the browser MUST NOT complete redirection before: 1. the user MUST click on the link in the template

Remediation

Upgrade to the fixed version using your package manager.

npm

Update express to 5.0.0 or later

npm install express@5.0.0

npm

Update express to 4.20.0 or later

npm install express@4.20.0

After upgrading, run your dependency scanner again to confirm the vulnerability is resolved.

Affected Packages (2)

Package	Ecosystem	Affected	Fixed In
express	npm	All versions	5.0.0
express	npm	All versions	4.20.0

Vulnerability Classification

Common Weakness Enumeration (CWE) identifiers for this vulnerability type.

CWE-79
Cross-site Scripting (XSS)MITRE

CVSS Score Breakdown

What the CVSS (Common Vulnerability Scoring System) 3.1 score means for each attack dimension.

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

References

Risk Assessment

CVSS Score

3.1

Exploitation is difficult or impact is minor. Address in your next planned update.

EPSS Score (30-day exploit probability)

0.12%

Higher than 31% of vulnerabilities

Also Known As

CVE-2024-43796

Check if you're affected

Scan your dependencies to see if this vulnerability affects your projects.

Scan Your Dependencies