Security updates安全更新
Node.js vulnerabilities directly affect Express. Therefore, keep a watch on Node.js vulnerabilities and make sure you are using the latest stable version of Node.js.Node.js漏洞直接影响Express。因此,请密切关注Node.js漏洞,并确保您使用的是Node.js的最新稳定版本。
The list below enumerates the Express vulnerabilities that were fixed in the specified version update.以下列表列举了在指定版本更新中修复的Express漏洞。
Note备注
If you believe you have discovered a security vulnerability in Express, please see
Security Policies and Procedures.如果您认为您在Express中发现了安全漏洞,请参阅安全政策和程序。
4.x
- 4.21.2
The dependencypath-to-regexphas been updated to address a vulnerability.path-to-regexp的依赖路径已更新以解决漏洞。
- 4.21.1
The dependency依赖cookiehas been updated to address a vulnerability, This may affect your application if you useres.cookie.cookie已更新以解决漏洞。如果您使用重新res.cookie,这可能会影响您的应用程序。
- 4.20.0
- Fixed XSS vulnerability in
res.redirect(advisory, CVE-2024-43796). - The dependency
serve-statichas been updated to address a vulnerability. - The dependency
sendhas been updated to address a vulnerability. - The dependency
path-to-regexphas been updated to address a vulnerability. - The dependency
body-parserhas been updated to addres a vulnerability, This may affect your application if you had url enconding activated.
- Fixed XSS vulnerability in
- 4.19.0, 4.19.1
- Fixed open redirect vulnerability in
res.locationandres.redirect(advisory, CVE-2024-29041).
- Fixed open redirect vulnerability in
- 4.17.3
- The dependency
qshas been updated to address a vulnerability. This may affect your application if the following APIs are used:req.query,req.body,req.param.
- The dependency
- 4.16.0
- The dependency
forwardedhas been updated to address a vulnerability. This may affect your application if the following APIs are used:req.host,req.hostname,req.ip,req.ips,req.protocol. - The dependency
mimehas been updated to address a vulnerability, but this issue does not impact Express. - The dependency
sendhas been updated to provide a protection against a Node.js 8.5.0 vulnerability.This only impacts running Express on the specific Node.js version 8.5.0.这只影响在特定Node.js版本8.5.0上运行Express。
- The dependency
- 4.15.5
- The dependency
debughas been updated to address a vulnerability, but this issue does not impact Express. - The dependency
freshhas been updated to address a vulnerability. This will affect your application if the following APIs are used:express.static,req.fresh,res.json,res.jsonp,res.send,res.sendfileres.sendFile,res.sendStatus.
- The dependency
- 4.15.3
- The dependency
mshas been updated to address a vulnerability. This may affect your application if untrusted string input is passed to themaxAgeoption in the following APIs:express.static,res.sendfile, andres.sendFile.
- The dependency
- 4.15.2
- The dependency
qshas been updated to address a vulnerability, but this issue does not impact Express. Updating to 4.15.2 is a good practice, but not required to address the vulnerability.
- The dependency
- 4.11.1
- Fixed root path disclosure vulnerability in
express.static,res.sendfile, andres.sendFile
- Fixed root path disclosure vulnerability in
- 4.10.7
- Fixed open redirect vulnerability in
express.static(advisory, CVE-2015-1164).
- Fixed open redirect vulnerability in
- 4.8.8
- Fixed directory traversal vulnerabilities in
express.static(advisory , CVE-2014-6394).
- Fixed directory traversal vulnerabilities in
- 4.8.4
- Node.js 0.10 can leak
fds in certain situations that affectexpress.staticandres.sendfile. Malicious requests could causefds to leak and eventually lead toEMFILEerrors and server unresponsiveness.
- Node.js 0.10 can leak
- 4.8.0
Sparse arrays that have extremely high indexes in the query string could cause the process to run out of memory and crash the server.在查询字符串中具有极高索引的稀疏数组可能会导致进程内存不足并使服务器崩溃。Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.极度嵌套的查询字符串对象可能会导致进程阻塞,并使服务器暂时无响应。
3.x
Express 3.x IS END-OF-LIFE AND NO LONGER MAINTAINED
Known and unknown security and performance issues in 3.x have not been addressed since the last update (1 August, 2015). It is highly recommended to use the latest version of Express.自上次更新(2015年8月1日)以来,3x中已知和未知的安全和性能问题尚未得到解决。强烈建议使用最新版本的Express。
If you are unable to upgrade past 3.x, please consider Commercial Support Options.如果您无法升级到3倍以上,请考虑商业支持选项。
- 3.19.1
- Fixed root path disclosure vulnerability in
express.static,res.sendfile, andres.sendFile
- Fixed root path disclosure vulnerability in
- 3.19.0
- Fixed open redirect vulnerability in
express.static(advisory, CVE-2015-1164).
- Fixed open redirect vulnerability in
- 3.16.10
- Fixed directory traversal vulnerabilities in
express.static.
- Fixed directory traversal vulnerabilities in
- 3.16.6
- Node.js 0.10 can leak
fds in certain situations that affectexpress.staticandres.sendfile. Malicious requests could causefds to leak and eventually lead toEMFILEerrors and server unresponsiveness.
- Node.js 0.10 can leak
- 3.16.0
- Sparse arrays that have extremely high indexes in query string could cause the process to run out of memory and crash the server.
- Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.
- 3.3.0
- The 404 response of an unsupported method override attempt was susceptible to cross-site scripting attacks.