Express — CVE history (npm)
Express
7 CVEs affect the Express npm package (highest CVSS 7.5). Latest disclosed: 2024-10-29. Full CVE history sourced from NVD.
Summary
- Package
Express(npm)- Total CVEs
7- Actively exploited (CISA KEV)
- 0
- Highest CVSS
7.5- Latest disclosed
- 2024-10-29
Recent CVEs (top 7)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10491 | Medium | 4.0 | — | 2024-10-29 | A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. |
CVE-2024-9266 | Medium | 4.7 | — | 2024-10-03 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. |
CVE-2024-43796 | Medium | 5.0 | — | 2024-09-10 | Express.js minimalist web framework for node. |
CVE-2024-29041 | Medium | 6.1 | — | 2024-03-25 | Express.js minimalist web framework for node. |
CVE-2022-24999 | High | 7.5 | — | 2022-11-26 | qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. |
CVE-2014-6393 | Medium | 6.1 | — | 2017-08-09 | The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via… |
CVE-2014-6887 | — | — | — | 2014-10-11 | The EXPRESS (aka com.gpshopper.express.android) application 2.5.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted cer… |
All-time worst (top 6 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-24999 | High | 7.5 | — | 2022-11-26 | qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. |
CVE-2024-29041 | Medium | 6.1 | — | 2024-03-25 | Express.js minimalist web framework for node. |
CVE-2014-6393 | Medium | 6.1 | — | 2017-08-09 | The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via… |
CVE-2024-43796 | Medium | 5.0 | — | 2024-09-10 | Express.js minimalist web framework for node. |
CVE-2024-9266 | Medium | 4.7 | — | 2024-10-03 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. |
CVE-2024-10491 | Medium | 4.0 | — | 2024-10-29 | A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. |