This document might be outdated relative to the documentation in English. For the latest updates, please refer the documentation in English.
This document might be outdated relative to the documentation in English. For the latest updates, please refer the documentation in English.
✖
Security updates
Node.js vulnerabilities directly affect Express. Therefore keep a watch on Node vulnerabilities and make sure you are using the latest stable version of Node.
The list below enumerates the Express vulnerabilities that were fixed in the specified version update.
4.x
- 4.11.1
- Fixed root path disclosure vulnerability in express.static, res.sendfile, and res.sendFile
- 4.10.7
- Fixed open redirect vulnerability in express.static (advisory (https://nodesecurity.io/advisories/serve-static-open-redirect), CVE-2015-1164 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1164))
- 4.8.8
- Fixed directory traversal vulnerabilities in
express.static
(advisory , CVE-2014-6394)
- Fixed directory traversal vulnerabilities in
- 4.8.4
- Node.js 0.10 can leak
fd
s in certain situations that affectexpress.static
andres.sendfile
. Malicious requests could causefd
s to leak and eventually leak toEMFILE
errors and server unresponsiveness.
- Node.js 0.10 can leak
- 4.8.0
- Sparse arrays with extremely high indexes in query string could cause the process to run out of memory and crash the server.
- Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.
3.x
- 3.19.1
- Fixed root path disclosure vulnerability in express.static, res.sendfile, and res.sendFile
- 3.19.0
- Fixed open redirect vulnerability in express.static (advisory (https://nodesecurity.io/advisories/serve-static-open-redirect), CVE-2015-1164 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1164))
- 3.16.10
- Fixed directory traversal vulnerabilities in
express.static
.
- Fixed directory traversal vulnerabilities in
- 3.16.6
- Node.js 0.10 can leak
fd
s in certain situations that affectexpress.static
andres.sendfile
. Malicious requests could causefd
s to leak and eventually leak toEMFILE
errors and server unresponsiveness.
- Node.js 0.10 can leak
- 3.16.0
- Sparse arrays with extremely high indexes in query string could cause the process to run out of memory and crash the server.
- Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.
- 3.3.0
- The 404 response of an unsupported method override attempt was susceptible to cross-site scripting attacks.