Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/express@5.0.0
Typenpm
Namespace
Nameexpress
Version5.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.2.0
Latest_non_vulnerable_version5.2.0
Affected_by_vulnerabilities
0
url VCID-9usd-2u38-nfea
vulnerability_id VCID-9usd-2u38-nfea
summary This advisory has been marked as False Positive and removed.
references
0
reference_url https://github.com/expressjs/express
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/expressjs/express
1
reference_url https://github.com/expressjs/express/commit/2f64f68c37c64ae333e41ff38032d21860f22255
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/expressjs/express/commit/2f64f68c37c64ae333e41ff38032d21860f22255
2
reference_url https://github.com/expressjs/express/releases/tag/4.22.0
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/expressjs/express/releases/tag/4.22.0
3
reference_url https://github.com/expressjs/express/releases/tag/v5.2.0
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/expressjs/express/releases/tag/v5.2.0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-51999
reference_id CVE-2024-51999
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-51999
5
reference_url https://github.com/advisories/GHSA-pj86-cfqh-vqx6
reference_id GHSA-pj86-cfqh-vqx6
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pj86-cfqh-vqx6
6
reference_url https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6
reference_id GHSA-pj86-cfqh-vqx6
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6
fixed_packages
0
url pkg:npm/express@5.2.0
purl pkg:npm/express@5.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/express@5.2.0
aliases CVE-2024-51999, GHSA-pj86-cfqh-vqx6
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9usd-2u38-nfea
Fixing_vulnerabilities
0
url VCID-fevu-q6th-9beb
vulnerability_id VCID-fevu-q6th-9beb
summary 
express vulnerable to XSS via response.redirect()
### Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code

### Patches

this issue is patched in express 4.20.0

### Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

### Details

successful exploitation of this vector requires the following:

1. The attacker MUST control the input to response.redirect()
1. express MUST NOT redirect before the template appears
1. the browser MUST NOT complete redirection before:
1. the user MUST click on the link in the template
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43796.json
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43796.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-43796
reference_id
reference_type
scores
0
value 0.0012
scoring_system epss
scoring_elements 0.31076
published_at 2026-04-04T12:55:00Z
1
value 0.0012
scoring_system epss
scoring_elements 0.30986
published_at 2026-04-11T12:55:00Z
2
value 0.0012
scoring_system epss
scoring_elements 0.30981
published_at 2026-04-09T12:55:00Z
3
value 0.0012
scoring_system epss
scoring_elements 0.30952
published_at 2026-04-08T12:55:00Z
4
value 0.0012
scoring_system epss
scoring_elements 0.30894
published_at 2026-04-07T12:55:00Z
5
value 0.0012
scoring_system epss
scoring_elements 0.31029
published_at 2026-04-02T12:55:00Z
6
value 0.0012
scoring_system epss
scoring_elements 0.30909
published_at 2026-04-18T12:55:00Z
7
value 0.0012
scoring_system epss
scoring_elements 0.3093
published_at 2026-04-16T12:55:00Z
8
value 0.0012
scoring_system epss
scoring_elements 0.30898
published_at 2026-04-13T12:55:00Z
9
value 0.0012
scoring_system epss
scoring_elements 0.30943
published_at 2026-04-12T12:55:00Z
10
value 0.00123
scoring_system epss
scoring_elements 0.31411
published_at 2026-04-21T12:55:00Z
11
value 0.00123
scoring_system epss
scoring_elements 0.31241
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-43796
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43796
3
reference_url https://github.com/expressjs/express
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/expressjs/express
4
reference_url https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T15:58:36Z/
url https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553
5
reference_url https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
2
value LOW
scoring_system cvssv3.1_qr
scoring_elements
3
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
4
value LOW
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T15:58:36Z/
url https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-43796
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-43796
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081481
reference_id 1081481
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081481
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2311152
reference_id 2311152
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2311152
9
reference_url https://github.com/advisories/GHSA-qw6h-vgh9-j6wx
reference_id GHSA-qw6h-vgh9-j6wx
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qw6h-vgh9-j6wx
10
reference_url https://access.redhat.com/errata/RHSA-2024:10906
reference_id RHSA-2024:10906
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10906
11
reference_url https://access.redhat.com/errata/RHSA-2024:10917
reference_id RHSA-2024:10917
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10917
12
reference_url https://access.redhat.com/errata/RHSA-2024:10962
reference_id RHSA-2024:10962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10962
13
reference_url https://access.redhat.com/errata/RHSA-2024:7726
reference_id RHSA-2024:7726
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7726
14
reference_url https://access.redhat.com/errata/RHSA-2024:8014
reference_id RHSA-2024:8014
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8014
15
reference_url https://access.redhat.com/errata/RHSA-2024:8023
reference_id RHSA-2024:8023
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8023
16
reference_url https://access.redhat.com/errata/RHSA-2024:8113
reference_id RHSA-2024:8113
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8113
17
reference_url https://access.redhat.com/errata/RHSA-2024:8581
reference_id RHSA-2024:8581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8581
18
reference_url https://access.redhat.com/errata/RHSA-2024:8676
reference_id RHSA-2024:8676
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8676
19
reference_url https://access.redhat.com/errata/RHSA-2024:8677
reference_id RHSA-2024:8677
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8677
20
reference_url https://access.redhat.com/errata/RHSA-2025:0079
reference_id RHSA-2025:0079
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0079
21
reference_url https://access.redhat.com/errata/RHSA-2025:0082
reference_id RHSA-2025:0082
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0082
22
reference_url https://access.redhat.com/errata/RHSA-2025:0164
reference_id RHSA-2025:0164
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0164
23
reference_url https://access.redhat.com/errata/RHSA-2025:0323
reference_id RHSA-2025:0323
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0323
24
reference_url https://access.redhat.com/errata/RHSA-2025:0875
reference_id RHSA-2025:0875
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0875
25
reference_url https://usn.ubuntu.com/7581-1/
reference_id USN-7581-1
reference_type
scores
url https://usn.ubuntu.com/7581-1/
fixed_packages
0
url pkg:npm/express@4.20.0
purl pkg:npm/express@4.20.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/express@4.20.0
1
url pkg:npm/express@5.0.0
purl pkg:npm/express@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9usd-2u38-nfea
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/express@5.0.0
aliases CVE-2024-43796, GHSA-qw6h-vgh9-j6wx
risk_score 2.2
exploitability 0.5
weighted_severity 4.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fevu-q6th-9beb
Risk_score1.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/express@5.0.0