Express — CVE history (npm)

Express

7 CVEs affect the Express npm package (highest CVSS 7.5). Latest disclosed: 2024-10-29. Full CVE history sourced from NVD.

Summary

Package
Express (npm)
Total CVEs
7
Actively exploited (CISA KEV)
0
Highest CVSS
7.5
Latest disclosed
2024-10-29

Recent CVEs (top 7)

CVESeverityCVSSKEVPublishedSummary
CVE-2024-10491Medium4.02024-10-29A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
CVE-2024-9266Medium4.72024-10-03URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express.
CVE-2024-43796Medium5.02024-09-10Express.js minimalist web framework for node.
CVE-2024-29041Medium6.12024-03-25Express.js minimalist web framework for node.
CVE-2022-24999High7.52022-11-26qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used.
CVE-2014-6393Medium6.12017-08-09The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via…
CVE-2014-68872014-10-11The EXPRESS (aka com.gpshopper.express.android) application 2.5.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted cer…

All-time worst (top 6 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2022-24999High7.52022-11-26qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used.
CVE-2024-29041Medium6.12024-03-25Express.js minimalist web framework for node.
CVE-2014-6393Medium6.12017-08-09The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via…
CVE-2024-43796Medium5.02024-09-10Express.js minimalist web framework for node.
CVE-2024-9266Medium4.72024-10-03URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express.
CVE-2024-10491Medium4.02024-10-29A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.