VYPR
Vendor

Expressjs

Products
4
CVEs
17
Across products
18
Status
Private

Products

4

Recent CVEs

17
  • CVE-2025-48997HigJun 3, 2025
    risk 0.50cvss epss 0.00

    Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field…

  • CVE-2026-5079HigJun 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to…

  • CVE-2025-7338HigJul 17, 2025
    risk 0.42cvss 7.5epss 0.01

    Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request…

  • CVE-2025-47944HigMay 19, 2025
    risk 0.42cvss 7.5epss 0.01

    Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request…

  • CVE-2025-47935HigMay 19, 2025
    risk 0.42cvss 7.5epss 0.01

    Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed,…

  • CVE-2026-5078MedJun 3, 2026
    risk 0.34cvss 5.3epss 0.00

    Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header…

  • CVE-2024-9266MedOct 3, 2024
    risk 0.31cvss 4.7epss 0.00

    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. This issue impacts Express: from 3.4.5 before 4.0.0.

  • CVE-2025-13466MedNov 24, 2025
    risk 0.29cvss epss 0.00

    body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and…

  • CVE-2026-5038MedJun 15, 2026
    risk 0.27cvss 5.3epss 0.00

    Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy…

  • CVE-2026-3520Mar 4, 2026
    risk 0.00cvss epss 0.01

    Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to…

  • CVE-2026-3304Feb 27, 2026
    risk 0.00cvss epss 0.01

    Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version…

  • CVE-2026-2359Feb 27, 2026
    risk 0.00cvss epss 0.01

    Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to…

  • CVE-2024-45590Sep 10, 2024
    risk 0.00cvss epss 0.01

    body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This…

  • CVE-2024-43796Sep 10, 2024
    risk 0.00cvss epss 0.00

    Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

  • CVE-2024-29041Mar 25, 2024
    risk 0.00cvss epss 0.01

    Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL…

  • CVE-2019-5413Mar 17, 2019
    risk 0.00cvss epss 0.03

    An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.

  • CVE-2014-6887Oct 11, 2014
    risk 0.00cvss epss 0.00

    The EXPRESS (aka com.gpshopper.express.android) application 2.5.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.