CVE-2024-43799

NameCVE-2024-43799
DescriptionSend is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1081483

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-send (PTS)bullseye0.17.1-2vulnerable
bookworm0.18.0+~cs1.19.1-3vulnerable
sid, trixie1.1.0+~cs1.19.4-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-sendsource(unstable)(unfixed)1081483

Notes

[bookworm] - node-send <no-dsa> (Minor issue)
[bullseye] - node-send <postponed> (Minor issue)
https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg
https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35 (0.19.0)

Search for package or bug name: Reporting problems