_posts/2024-09-29-security-releases.md
Recently, the Express team has been made aware of a number of security vulnerabilities in the Express project. We have released a number of patches to address these vulnerabilities.
{% include admonitions/warning.html content="We strongly recommend that you upgrade these modules to the recommended (or latest) version as soon as possible." %}
The following vulnerabilities have been addressed:
body-parser version <1.20.3 is vulnerable to denial of service when URL-encoding is enabled
A malicious actor using a specially-crafted payload could flood the server with a large number of requests, resulting in denial of service.
Affected versions: <1.20.3
Patched versions: >=1.20.3
This vulnerability was discovered during the OSTIF audit to Express and was mitigated by the Express security triage team.
For more details, see GHSA-qwcr-r2fm-qrc7.
basic-auth-connect uses a timing-unsafe equality comparison
basic-auth-connect <1.1.0 uses a timing-unsafe equality comparison that can leak timing information
Affected versions
<1.1.0Patched versions
>=1.1.0This vulnerability was discovered during the OSTIF audit to Express and was mitigated by the Express Securty triage team.
More details area available in GHSA-7p89-p6hx-q4fw
The core express package is vulnerable to cross-site scripting (XSS) attack via response.redirect().
In Express version <4.20.0, passing untrusted user input—even after sanitizing it—to response.redirect() may execute untrusted code.
Affected versions:
<4.20.0>=5.0.0-alpha.1, <5.0.0Patched versions:
>=4.20.0>=5.0.0This vulnerability was discovered during the OSTIF audit of Express and was mitigated by the Express security triage team.
For more details, see GHSA-qw6h-vgh9-j6wx.
The send utility module is vulnerable to template injection that can lead to vulnerability to cross-site scripting (XSS) attack.
Passing untrusted user input—even after sanitizing it—to SendStream.redirect() can execute untrusted code.
Affected versions: < 0.19.0
Patched versions: >=0.19.0
This vulnerability was discovered during the OSTIF audit of Express and was mitigated by the Express security triage team.
For more details, see GHSA-m6fv-jmcg-4jfg.
The serve-static middleware module is vulnerable to template injection that can lead to vulnerability to cross-site scripting (XSS) attack.
Passing untrusted user input—even after sanitizing it—to redirect() can execute untrusted code.
Affected versions:
< 1.16.0>=2.0.0, <2.1.0Patched versions:
>=1.16.0>=2.1.0This vulnerability was discovered during the OSTIF audit of Express and was mitigated by the Express security triage team.
For more details, see GHSA-cm22-4g7w-348p
The path-to-regexp utility module is vulnerable to regular expression denial of service (ReDoS) attack.
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.
Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but in essence, the /a at the end ensures this route would never match, but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.
Because JavaScript is single-threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment, using Express v4 and ten concurrent connections results in an average latency of ~600ms vs 1ms.
Affected versions:
>=4.0.0, <8.0.0>=0.2.0, <1.9.0<0.1.10>=2.0.0, <3.3.0>=4.0.0, <6.3.0Patched versions:
>=8.0.0>=1.9.0>=0.1.10>=3.3.0>=6.3.0Thanks to Blake Embrey who reported and created the security patch.
For more details, see GHSA-9wv6-86v2-598j