npm package
express
pkg:npm/express
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-10491 | — | < 4.0.0-rc1 | 4.0.0-rc1 | Oct 29, 2024 | A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of character | ||
| CVE-2024-9266 | Med | 4.7 | >= 3.4.5, < 4.0.0-rc1 | 4.0.0-rc1 | Oct 3, 2024 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. This issue impacts Express: from 3.4.5 before 4.0.0. | |
| CVE-2024-43796 | — | < 4.20.0 | 4.20.0 | Sep 10, 2024 | Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0. | ||
| CVE-2024-29041 | — | < 4.19.2 | 4.19.2 | Mar 25, 2024 | Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres | ||
| CVE-2014-6393 | Med | 6.1 | < 3.11.0 | 3.11.0 | Aug 9, 2017 | The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding. |
- CVE-2024-10491Oct 29, 2024affected < 4.0.0-rc1fixed 4.0.0-rc1
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of character
- affected >= 3.4.5, < 4.0.0-rc1fixed 4.0.0-rc1
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. This issue impacts Express: from 3.4.5 before 4.0.0.
- CVE-2024-43796Sep 10, 2024affected < 4.20.0fixed 4.20.0
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
- CVE-2024-29041Mar 25, 2024affected < 4.19.2fixed 4.19.2
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres
- affected < 3.11.0fixed 3.11.0
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.