Express versions 3.4.1 and 3.4.0, both Sinatra-inspired web development frameworks, showcase subtle but noteworthy differences for developers. Version 3.4.1, released on October 16, 2013, features an upgrade in its connect dependency, moving from version 2.9.0 to 2.9.1 and commander updated from 1.2.0 to 2.0.0. These dependency updates indicate potential bug fixes, performance improvements, or new features within those underlying libraries, indirectly benefiting Express applications. Furthermore, should dependency was downgraded from version * to version 2
Both share core dependencies essential for web application development, including send for efficient static file serving, debug for enhanced debugging capabilities, fresh for HTTP cache handling, and cookie and cookie-signature for secure cookie management. The presence of mkdirp illustrates Express's ability to handle directory creation, while methods aids in defining HTTP methods, and range-parser facilitates handling HTTP range requests.
Developers using Express should note the consistent inclusion of development dependencies like ejs, hjs, and jade for templating, mocha for testing, marked for Markdown processing, stylus for CSS pre-processing, supertest for API testing, and connect-redis for Redis-backed session management. Examining the changelogs of connect and commander between these versions is recommended to fully understand the implications of the update for their specific project. The slight modifications likely address minor issues and refine existing functionalities rather than introduce groundbreaking changes, making the upgrade generally safe and beneficial.
All the vulnerabilities related to the version 3.4.1 of the package
No Charset in Content-Type Header in express
Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.
For express 3.x, update express to version 3.11 or later. For express 4.x, update express to version 4.5 or later.
Express ressource injection
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and <> to preload malicious resources.
This vulnerability is especially relevant for dynamic parameters.
Express.js Open Redirect in malformed URLs
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is res.location() but this is also called from within res.redirect().
https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94
An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.
The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.
https://github.com/expressjs/express/pull/5539 https://github.com/koajs/koa/issues/1800 https://expressjs.com/en/4x/api.html#res.location
express vulnerable to XSS via response.redirect()
In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code
this issue is patched in express 4.20.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
Directory Traversal in send
Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.
For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
Update to version 0.8.4 or later.
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Update to version 0.11.1 or later.
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in fresh
Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.
Update to version 0.5.2 or later.
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
Cross-Site Scripting in connect
connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
cookie-signature Timing Attack
Affected versions of cookie-signature are vulnerable to timing attacks as a result of using a fail-early comparison instead of a constant-time comparison.
Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on the correctness of a guess via miniscule timing differences.
Under favorable network conditions, an attacker can exploit this to guess the secret in no more than charset*length guesses, instead of charset^length guesses required were the timing attack not present.
Update to 1.0.4 or later.
