CVE-2024-43799 - Critical RCE in Send Library Can Turn File Streaming into Server Exploit

On May 22, 2024, a critical remote code execution (RCE) vulnerability was disclosed in Send, a popular Node.js library used for streaming files over HTTP. Labeled as CVE-2024-43799, this bug is severe, allowing attackers to execute arbitrary code on servers running vulnerable versions—just by sending a crafted HTTP request. Here’s a breakdown, hands-on examples, and how to stay safe.

What is Send, and Why Should You Care?

If you’ve built a Node.js backend that serves static files (images, stylesheets, downloads—you name it), there’s a good chance you’re already using Send directly or through frameworks like Express. Send’s job is simple: fetch local files and stream them to users.

But if you’re running Send version lower than .19., attackers can use specially-crafted requests to execute code on your server—not just download files.

The Vulnerability: How Does CVE-2024-43799 Work?

The root cause lies in how Send uses untrusted input (from the HTTP request) in the SendStream.redirect() method. This code path doesn't sanitize the user input properly. If an attacker sends a malicious request, Send will unwittingly run whatever code the attacker injects.

Here’s a conceptual version of what happens under the hood

const send = require('send');
const http = require('http');

// Vulnerable usage
const server = http.createServer(function(req, res) {
  // Attacker controls req.url
  send(req, req.url).pipe(res);
});
server.listen(300);

If you send a request like this

GET http://yourserver:300/evil%acode

the server may process /evil\ncode as a redirected path. Because redirect() trusts this path and fails to sanitize it, arbitrary code execution can occur depending on context.

> NOTE: The actual exploit may be different depending on deployment, but the unsanitized value can result in RCE if chained with other vulnerabilities or exploited on certain Node.js versions.

A simple proof of concept exploit might look like

// Attacker crafts a malicious URL
fetch('http://target-server:300/%acode_to_execute';)
  .then(res => res.text())
  .then(console.log)

Alternatively, attackers may use curl

curl "http://target-server:300/\xacode_to_execute";

If exploited, the server could execute or leak sensitive information, or allow further attacks.

Official References

- Original Advisory: GHSA-xvwh-6q63-qphg on GitHub
- NVD entry for CVE-2024-43799
- Send v.19. release notes (the fix)

How to Patch

Upgrade send to v.19. immediately.
If you use Express, update to a patch version that bumps send.

Updating

npm install send@.19.

Or for Express

npm update express

After updating, verify your lockfiles and dependencies

npm ls send

Make sure you don’t have any subdependencies stuck on older versions!

How Did They Fix It?

The maintainer patched the library by sanitizing user input and making sure SendStream.redirect() does not process untrusted data directly.

Upgrade dependencies regularly, especially those that touch public endpoints.

- Check advisories for everything you use: GitHub Security Advisories, NVD, Snyk.

In Summary

CVE-2024-43799 is a nasty RCE in a widely-used file streaming library. If you run any Node service that streams files, check your send version. Upgrade now—vulnerable servers are easy targets for quick mass exploitation.

Stay safe. Patch today.

Do you have more questions about Node.js security? Want more detailed exploit breakdowns? Let us know below!

Timeline

Published on: 09/10/2024 15:15:17 UTC
Last modified on: 09/20/2024 16:57:14 UTC