express

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting expresspage 1 of 1

CVE-2014-6393MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.5.0
2017-08-09
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via…
CVE-2024-10491MEDIUMCVSS 4.0EG 4.0✓ Fixed in 4.0.0-rc1
2024-10-29
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values,…
CVE-2024-29041MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.0.0-beta.3
2024-03-25
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a …
CVE-2024-43796MEDIUMCVSS 5.0EG 5.0✓ Fixed in 5.0.0
2024-09-10
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
CVE-2024-9266MEDIUMCVSS 4.7EG 4.7✓ Fixed in 4.0.0-rc1
2024-10-03
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. This issue impacts Express: from 3.4.5 before 4.0.0.

Check whether express is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for express CVEs against the assets you own.

Start Free Scan →