The package is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, bookings/latest/
to bookings/latest
. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes (or two backslashes, or a slash and a backslash, etc.) it may redirect to a different domain.
Consider the example from the docs. Assume we have run it and started a server on localhost:3000
, then visiting localhost:3000///github.com/
redirects you to https://github.com.
Recommendation
This vulnerability is currently un-patched in the slashify
package so there is no known safe version of this package. Discontinuing use of slashify
is recommended.
References
The package is an Express middleware that normalises routes by stripping any final slash, redirecting, for example,
bookings/latest/
tobookings/latest
. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes (or two backslashes, or a slash and a backslash, etc.) it may redirect to a different domain.Consider the example from the docs. Assume we have run it and started a server on
localhost:3000
, then visitinglocalhost:3000///github.com/
redirects you to https://github.com.Recommendation
This vulnerability is currently un-patched in the
slashify
package so there is no known safe version of this package. Discontinuing use ofslashify
is recommended.References