Vulnerability Report - Redirect handling depends on vulnerable Express redirect logic

[trilokdhaked]

Vulnerability name : Redirect handling depends on vulnerable Express redirect logic

Severity: Medium

Affected locations:

• package.json:34
• src/getRouter.js:87-89

Description

The SDK forwards addon-provided redirect targets directly into res.redirect(307, resp.redirect). The pinned express@4.16.3 release is affected by published advisories for:

• XSS via response.redirect()
• Open redirect in malformed URLs

The sink is reachable whenever an addon handler returns a redirect value. In practice, exploitability depends on whether addon code derives that value from untrusted upstream or user-controlled input. This means the issue is conditional, but still security-relevant: the SDK ships a known-vulnerable redirect implementation and exposes it as part of its response handling path.

Steps to reproduce

1. Clone the repository and run npm install.
2. Run npm audit --json --omit=dev.
3. Confirm that express@4.16.3 is flagged for:
   • GHSA-qw6h-vgh9-j6wx
   • GHSA-rv95-896h-c2vc
4. Create an addon handler that returns a redirect derived from external input.
5. Request the affected route and verify that the SDK passes the value unchanged to res.redirect().
6. Validate behavior with the vendor advisory test cases for the affected Express version.

Proof of concept

Reachable sink in the SDK:

if (resp.redirect) {
  res.redirect(307, resp.redirect)
  return
}

Locally reported advisories:

express vulnerable to XSS via response.redirect()
https://github.com/advisories/GHSA-qw6h-vgh9-j6wx

Express.js Open Redirect in malformed URLs
https://github.com/advisories/GHSA-rv95-896h-c2vc

Security impact

• Open redirect if addons pass attacker-controlled redirect targets
• Client-side script execution risk in redirect-related browser flows on affected Express versions
• Phishing and trust-abuse opportunities if redirect values are sourced from untrusted inputs

impact

• Brand and trust damage from phishing-style redirects
• Support and incident handling costs
• Potential abuse of partner or affiliate traffic flows

Remediation

• Upgrade express to >=4.21.2 or a newer supported release after compatibility testing
• Treat resp.redirect as untrusted data and validate scheme, host, and normalization before redirecting
• Prefer an allowlist of redirect destinations where possible
• Reject malformed or non-HTTP(S) redirect targets

---

[estilles]

In addition to then Express "Redirect handling" vulnerability described above, I've encountered a number of other vulnerabilities ... 18 in total (7 low, 1 moderate, 8 high, and 2 critical). See the complete npm audit report below.

I've updated all the dependencies and addressed any issues caused by breaking changes. Here's a list of the packages I've fixed (for personal consumption), along with a link to a branch with the fixes.

Module	Branch With Fixes
stremio-addon-linter	link to branch
stremio-addon-client	link to branch
stremio-addon-sdk	link to branch

I don't see any contribution guidelines in the repo, so I'm not entire sure if the maintainers are "contributor friendly". If they happen to read this and they are (contributor friendly) ... I'd be more than happy to submit PRs.

---

The npm audit report

# npm audit report

body-parser  <=1.20.2
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/body-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express

brace-expansion  <1.1.13
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/brace-expansion

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/cookie


lodash  <=4.17.23
Severity: high
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - https://github.com/advisories/GHSA-xxjr-mmjv-4gpg
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/mkdirp/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mkdirp

node-fetch  <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix`
node_modules/node-fetch

path-to-regexp  <=0.1.12
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp contains a ReDoS - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix --force`
Will install router@2.2.0, which is a breaking change
node_modules/path-to-regexp
  router  1.0.0-beta.1 - 2.0.0-beta.2
  Depends on vulnerable versions of path-to-regexp
  node_modules/router

qs  <=6.14.0
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs

semver  2.0.0-alpha - 5.7.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/semver

send  <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static


tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix --force`
Will install inquirer@13.4.2, which is a breaking change
node_modules/tmp
  external-editor  >=1.1.1
  Depends on vulnerable versions of tmp
  node_modules/external-editor
    inquirer  3.0.0 - 8.2.6 || 9.0.0 - 9.3.7
    Depends on vulnerable versions of external-editor
    node_modules/inquirer
      eslint  4.0.0-alpha.0 - 7.2.0
      Depends on vulnerable versions of inquirer
      node_modules/eslint

18 vulnerabilities (7 low, 1 moderate, 8 high, 2 critical)

Fixes to stremio-addon-linter

Description	Commit	Breaking?
bump semver from 5.5.0 to 7.7.4	27f88a0	No
bump tape from 4.9.2 to 5.9.0	f086bb0	No

Fixes to stremio-addon-client

Description	Commit	Breaking?
bump node-fetch from 2.1.2 to 3.3.2	b183c12	Yes
bump thunky from 1.0.2 to 1.1.0	a833977	No
bump url from 0.11.0 to 0.11.4	b45349b	No
bump tape from 4.9.0 to 5.9.0	84ab74a	No
fix semver high severity vulnerability	5b70e20	No
add nock-based HTTP mocks to unit tests	921a4b0	N/A (See NOTE below)

NOTE: 921a4b0 is just a quality of service commit to make some existing unit tests isolated and deterministic.

Fixes to stremio-addon-sdk

Description	Commit	Breaking?
set server port to 0 in unit test	291e9ed	N/A (See NOTE below)
bump chalk from 2.4.2 to 5.6.2	828d949	No
bump cors from 2.8.4 to 2.8.6	ec697d1	No
bump inquirer from 6.2.2 to 13.4.2	effdc35	Yes
bump mkdirp from 0.5.1 to 3.0.1	f683013	Yes
bump node-fetch from 2.3.0 to 3.3.2	8cf73b6	Yes
bump opn from 5.4.0 to 5.5.0	78c2729	No
bump supertest 3.3.0 to 7.2.2	8c5b7ab	No
bump tape from 4.9.0 to 5.9.0	7b88e92	No
bump typescript from 5.9.0 to 6.0.3	2cf6264	No
bump eslint from 5.13.0 to 10.3.0	800b9f9	Yes (configuration migration)
fix no-unused-vars eslint error	3346798	N/A (See NOTE below)
bump express from 4.22.1 to 5.2.1	7239cb1	Yes (changes in 4c2f3c1)
bump router from 1.3.3 to 2.2.0	0fac480	Yes (changes in 4c2f3c1)
update getRouter usage of new router	4c2f3c1	N/A (See NOTE below)
fix brace-expansion/semver vulnerabilities	5738d3e	No

NOTE: 291e9ed is just a quality of service commit to make some existing unit tests deterministic. Server port was set to 5000. If any other process is using port 5000 when running the unit tests they will fail. Using 0 automatically assigns an available port.

NOTE: 3346798 is related to the ESLint bump in 800b9f9, after which an unused catch parameter in a try/catch block is flagged by the no-unused-vars rule. As of ES2019, the catch parameter is optional, so I simply removed it.

NOTE: 4c2f3c1 fixes breaking changes in 7239cb1 and 0fac480. A separate commit was necessary because the new versions of express and router broke when using older versions of the other. It was simply easier to fix the breaking changes after both were upgraded.

Note

In the "Fixes to..." tables above, the "Breaking?" column only indicates if any breaking changes affected the corresponding module.