Filtered by vendor Expressjs Subscriptions
Total 4 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2017-16136 1 Expressjs 1 Method-override 2024-11-21 N/A
method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.
CVE-2024-47178 1 Expressjs 1 Basic-auth-connect 2024-11-15 5.3 Medium
basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.
CVE-2024-10491 2 Expressjs, Openjsf 2 Express, Express 2024-11-07 4 Medium
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.
CVE-2024-45590 3 Expressjs, Openjsf, Redhat 10 Body-parser, Body-parser, Advanced Cluster Security and 7 more 2024-09-20 7.5 High
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.