Preload arbitrary resources by injecting additional `Link` headers
Description
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources.
This vulnerability is especially relevant for dynamic parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Express response.links() function allows arbitrary resource injection in Link header due to improper sanitization, enabling malicious resource preloading.
Vulnerability
Description A resource injection vulnerability exists in the Express response.links() function, allowing arbitrary injection into the Link header when unsanitized data is used [1]. The root cause is improper sanitization of Link header values, which can permit characters such as ,, ;, and <> to be used to inject malicious resources [3].
Attack
Vector The vulnerability is especially relevant for dynamic parameters where user input is directly passed to res.links() [1]. An attacker can craft a malicious query parameter containing characters like <> to inject arbitrary Link header values, as demonstrated in a proof-of-concept [3][4]. For example, a payload like ?resource=http://api.example.com/users?resource=>; rel="preload", <http://api.malicious.com/1.js>; rel="preload" can be used to preload external resources [3].
Impact
Successful exploitation allows an attacker to inject arbitrary resource links into the HTTP response header, potentially leading to resource injection attacks such as preloading malicious scripts or resources [1][3]. This could result in unintended resource loading or information disclosure.
Mitigation
The issue affects Express versions 3.0.0-alpha1 through 3.21.2 [3]. It has been fixed in Express NES v3.21.5 [3]. Users should upgrade to the patched version or sanitize user input before using it in res.links() to prevent injection [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
expressnpm | < 4.0.0-rc1 | 4.0.0-rc1 |
Affected products
10- osv-coords8 versionspkg:deb/ubuntu/node-express@4.1.1~dfsg-1?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/node-express@4.1.1~dfsg-1?arch=source&distro=esm-apps/xenialpkg:deb/ubuntu/node-express@4.17.1-2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/node-express@4.17.3+~4.17.13-1?arch=source&distro=jammypkg:deb/ubuntu/node-express@4.19.2+~cs8.36.21-1?arch=source&distro=noblepkg:deb/ubuntu/node-express@4.19.2+~cs8.36.26-1?arch=source&distro=oracularpkg:deb/ubuntu/node-express@4.21.0+~cs8.36.26-2?arch=source&distro=pluckypkg:npm/express
>= 0+ 7 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 4.0.0-rc1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.