Express response.redirect XSS
Cross-site scripting via untrusted input in response.redirect()
Severity CVSS
HIGH 5
Exploitation Shoulder
No known exploits
Fix available
No patch yet
Should I care?
This matters if:
- Apps rendering user-supplied HTML or data into web pages
- Server-side template rendering with user input
Not relevant if:
- You render no user-controlled content
- All output is escaped or uses a safe templating engine
How to fix
How it breaks apps
1
User input reaches page
2
Content rendered without escaping
3
Script executes in victim browser
4
Session hijack or data theft
Affected packages
npm
Express
Is this in your code?
Shoulder scans your codebase and tells you if CVE-2024-43796 is reachable — not just present.
npx @shoulderdev/cli trust .
Technical details
Risk by Environment
Production (public-facing)
HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging
MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services
MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only
LOW
Minimal risk in isolated dev environments.
AI Development Risk
This vulnerability pattern is commonly introduced when AI generates code.
CWE-79
Cross-site scripting
LLMs often generate HTML rendering code that interpolates user input without escaping.