CVE-2021-3189

Description

The package is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, `bookings/latest/` to `bookings/latest`. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes (or two backslashes, or a slash and a backslash, etc.) it may redirect to a different domain. Consider the [example from the docs](https://www.npmjs.com/package/slashify#usage). Assume we have run it and started a server on `localhost:3000`, then visiting `localhost:3000///github.com/` redirects you to https://github.com. ## Recommendation This vulnerability is currently un-patched in the `slashify` package so there is no known safe version of this package. Discontinuing use of `slashify` is recommended.

How to fix CVE-2021-3189

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2021-3189 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 1.0.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3189
• ADVISORYsecuritylab.github.com/advisories/GHSL-2020-199-open-redirect-slashify
• WEBgithub.com/divshot/slashify
• WEBsecurity.netapp.com/advisory/ntap-20210401-0004
• WEB