CVE-2022-24999

CVE-2022-24999 affects the qs library prior to 6.10.3 used by Express before 4.17.3, enabling prototype poisoning via a[proto ] in query strings that can hang a Node process. An unauthenticated remote attacker can place the payload in the URL query. The advisory notes backported fixes to qs versi...

CVE-2024-29041

CVE-2024-29041 – Open Redirect in Express.js . Express.js versions prior to 4.19.0 and all pre-release 5.0 alpha/beta are affected by an open redirect via user-provided redirect URLs. The flaw stems from encodeurl usage in res.location()/res.redirect(), allowing bypass of allowlists in redirectio...

CVE-2024-43796

CVE-2024-43796 : Express.js (Node) vulnerable in versions prior to 4.20.0 where untrusted input passed to response.redirect() can lead to execution of untrusted code. This is mitigated by upgrading to Express.js 4.20.0 or newer; the issue is categorized under a cross-site scripting concern in the...

CVE-2014-6393

CVE-2014-6393 affects the Express web framework for Node.js (versions prior to 3.11 and 4.x prior to 4.5). Root cause: missing charset field in HTTP Content-Type headers for 400-level responses, enabling potential XSS via non-standard encodings. Affected component/file: Express’s Content-Type han...

CVE-2024-10491

The CVE-2024-10491 entry concerns the Express framework: the response.links function mishandles sanitization of Link header values, enabling arbitrary resource injection via certain characters (e.g., , ; ). Public-connected docs (GHSA, OSV, Debian OSV entries) reiterate the same issue and describ...