Medium severity6.1NVD Advisory· Published Aug 9, 2017· Updated May 13, 2026
CVE-2014-6393
CVE-2014-6393
Description
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
expressnpm | < 3.11.0 | 3.11.0 |
expressnpm | >= 4.0.0, < 4.5.0 | 4.5.0 |
Affected products
15cpe:2.3:a:openjsf:express:*:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:openjsf:express:*:*:*:*:*:*:*:*range: <=3.10.5
- cpe:2.3:a:openjsf:express:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:openjsf:express:4.4.5:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-gpvr-g6gh-9mc2ghsaADVISORY
- nodesecurity.io/advisories/express-no-charset-in-content-type-headernvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2014-6393ghsaADVISORY
- www.npmjs.com/advisories/8ghsaWEB
News mentions
0No linked articles in our index yet.