CVE-2024-43799 - Vulnerability in 'send' Library Allows Remote Code Execution Through Malicious Redirects

The cybersecurity community has been abuzz with the recent disclosure of a significant vulnerability - CVE-2024-43799 - in the popular 'send' library used for streaming files in HTTP responses. This vulnerability has the potential to impact a wide array of applications and developers who rely on this library in their projects. As such, we have put together this long-read post to discuss the details and lay out the critical information you need to know about CVE-2024-43799.

CVE-2024-43799 Overview

In a nutshell, CVE-2024-43799 affects the 'send' library, a widely-used module for streaming files from the file system to an HTTP response, especially on the Node.js platform. The vulnerability exists because the library passes untrusted user input to the SendStream.redirect() function, which could subsequently lead to remote code execution. The good news is that this issue has been patched in the latest release of the library, which is version .19.. Therefore, it is essential to ensure that your applications are using this updated version to prevent this vulnerability.

Exploit Details

To exploit this vulnerability, an attacker only needs to send a maliciously crafted redirect request containing untrusted user input to the vulnerable application. If the application passes this input directly to the SendStream.redirect() function, then the attacker could achieve remote code execution on the affected system.

Here's an example of unsafe code that might lead to the exploitation of the vulnerability

const http = require('http');
const send = require('send');
const url = require('url');

const server = http.createServer(function(req, res) {
  const path = url.parse(req.url).pathname;

  send(req, path)
    .on('error', function(err) {
        // If the requested file does not exist, redirect to another page
        res.statusCode = err.status || 500;
        res.end(err.message);
    })
    .pipe(res);
});

server.listen(300);

In this code snippet, untrusted user input (req.url) is parsed to obtain the path, which is then passed to the send function with no further validation or sanitization. In the case of a file not being found, the error handling portion of the code will simply execute the untrusted user input. This kind of code pattern makes applications vulnerable to CVE-2024-43799.

Mitigation and Patching

To mitigate the impact of this vulnerability, developers should follow these best practices and recommendations:

Update the 'send' library to version .19. or later.

- Validate and sanitize untrusted user input before passing it to the SendStream.redirect() function or other potentially vulnerable functions.

- Implement proper error handling mechanisms and avoid writing code that executes untrusted user input directly.

The following references contain more information about CVE-2024-43799

1. NVD - CVE-2024-43799
2. GitHub Security Advisory

Conclusion

CVE-2024-43799 represents a serious vulnerability in the 'send' library, which, if exploited, could lead to remote code execution on the vulnerable systems. Developers are strongly encouraged to follow best practices in updating their library dependencies and implementing secure coding practices to mitigate potential risks. By following the guidance outlined in this post, you can help protect your applications from this vulnerability and reduce the likelihood of encountering similar security issues in the future.

Timeline

Published on: 09/10/2024 15:15:17 UTC
Last modified on: 09/20/2024 16:57:14 UTC