From 56fa2ed6d303eb90176d732aa1b3f48861c05c59 Mon Sep 17 00:00:00 2001 From: OpenSec Posture Bot Date: Fri, 15 May 2026 17:07:28 +0300 Subject: [PATCH] docs: document CVE-2024-43799 (send library code execution) remediation - send library vulnerability in SendStream.redirect() accepting untrusted input - Fixed in send@0.19.0, currently using send@0.19.2 via express@4.22.2 - No code changes required - transitive dependency is patched - Verified all tests pass with current dependency versions --- package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index 9703e6459b..35352156f6 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,8 @@ }, "comments": { "//": "a9 insecure components", - "security-note": "utile@0.3.0 (transitive dependency via broadway/prompt) has NSWG-ECO-445 vulnerability. No patched version available. Application does not directly use utile. See SECURITY-AUDIT.md for details." + "security-note": "utile@0.3.0 (transitive dependency via broadway/prompt) has NSWG-ECO-445 vulnerability. No patched version available. Application does not directly use utile. See SECURITY-AUDIT.md for details.", + "cve-2024-43799": "send: Code Execution via Unsafe Redirect - Fixed in send@0.19.0. Express@4.22.2 includes send@0.19.2, eliminating CVE-2024-43799 code execution vulnerability." }, "scripts": { "start": "node server.js",