安全更新
Node.js vulnerabilities directly affect Express. Node.js 漏洞直接影响 Express。因此,请监视 Node.js 漏洞并确保使用最新稳定版的 Node.js。
以下列举了在指定版本更新中修复的 Express 漏洞。
Note
If you believe you have discovered a security vulnerability in Express, please see Security Policies and Procedures.
4.x
- 4.21.2
- The dependency
path-to-regexphas been updated to address a vulnerability.
- The dependency
- 4.21.1
- The dependency
cookiehas been updated to address a vulnerability, This may affect your application if you useres.cookie.
- The dependency
- 4.20.0
- Fixed XSS vulnerability in
res.redirect(advisory, CVE-2024-43796). - The dependency
serve-statichas been updated to address a vulnerability. - The dependency
sendhas been updated to address a vulnerability. - The dependency
path-to-regexphas been updated to address a vulnerability. - The dependency
body-parserhas been updated to addres a vulnerability, This may affect your application if you had url enconding activated.
- Fixed XSS vulnerability in
- 4.19.0, 4.19.1
- Fixed open redirect vulnerability in
res.locationandres.redirect(advisory, CVE-2024-29041).
- Fixed open redirect vulnerability in
- 4.17.3
- The dependency
qshas been updated to address a vulnerability. This may affect your application if the following APIs are used:req.query,req.body,req.param.
- The dependency
- 4.16.0
- The dependency
forwardedhas been updated to address a vulnerability. This may affect your application if the following APIs are used:req.host,req.hostname,req.ip,req.ips,req.protocol. - The dependency
mimehas been updated to address a vulnerability, but this issue does not impact Express. - The dependency
sendhas been updated to provide a protection against a Node.js 8.5.0 vulnerability. This only impacts running Express on the specific Node.js version 8.5.0.
- The dependency
- 4.15.5
- The dependency
debughas been updated to address a vulnerability, but this issue does not impact Express. - The dependency
freshhas been updated to address a vulnerability. This will affect your application if the following APIs are used:express.static,req.fresh,res.json,res.jsonp,res.send,res.sendfileres.sendFile,res.sendStatus.
- The dependency
- 4.15.3
- The dependency
mshas been updated to address a vulnerability. This may affect your application if untrusted string input is passed to themaxAgeoption in the following APIs:express.static,res.sendfile, andres.sendFile.
- The dependency
- 4.15.2
- The dependency
qshas been updated to address a vulnerability, but this issue does not impact Express. Updating to 4.15.2 is a good practice, but not required to address the vulnerability.
- The dependency
- 4.11.1
- 修复了
express.static、res.sendfile和res.sendFile中的根路径披露漏洞
- 修复了
- 4.10.7
- 在
express.static(公告、CVE-2015-1164)中修复了开放重定向漏洞。
- 在
- 4.8.8
- 在
express.static(公告、CVE-2014-6394)中修复了目录遍历漏洞。
- 在
- 4.8.4
- Node.js 0.10 在某些情况下可能会泄漏
fd,这会影响express.static和res.sendfile。恶意请求会导致fd泄漏并最终导致EMFILE错误和服务器无响应。 Malicious requests could causefds to leak and eventually lead toEMFILEerrors and server unresponsiveness.
- Node.js 0.10 在某些情况下可能会泄漏
- 4.8.0
- 查询字符串中具有极高数量索引的稀疏数组会导致进程耗尽内存并使服务器崩溃。
- 极端嵌套查询字符串对象会导致进程阻塞并使服务器暂时无响应。
3.x
Express 3.x 不再受到维护
Known and unknown security and performance issues in 3.x have not been addressed since the last update (1 August, 2015). It is highly recommended to use the latest version of Express.
If you are unable to upgrade past 3.x, please consider Commercial Support Options.
- 3.19.1
- 修复了
express.static、res.sendfile和res.sendFile中的根路径披露漏洞
- 修复了
- 3.19.0
- 在
express.static(公告、CVE-2015-1164)中修复了开放重定向漏洞。
- 在
- 3.16.10
- 在
express.static中修复了目录遍历漏洞。
- 在
- 3.16.6
- Node.js 0.10 在某些情况下可能会泄漏
fd,这会影响express.static和res.sendfile。恶意请求会导致fd泄漏并最终导致EMFILE错误和服务器无响应。 Malicious requests could causefds to leak and eventually lead toEMFILEerrors and server unresponsiveness.
- Node.js 0.10 在某些情况下可能会泄漏
- 3.16.0
- 查询字符串中具有极高数量索引的稀疏数组会导致进程耗尽内存并使服务器崩溃。
- 极端嵌套查询字符串对象会导致进程阻塞并使服务器暂时无响应。
- 3.3.0
- 不受支持的方法覆盖尝试的 404 响应易于受到跨站点脚本编制攻击。