Express.js sees an update from version 4.19.2 to 4.20.0, offering incremental improvements for developers building web applications with Node.js. Both versions maintain Express's core philosophy as a fast, unopinionated, and minimalist web framework, providing the essential tools for routing, middleware integration, and request handling.
A notable change lies within the dependencies. The send package is updated from version 0.18.0 to 0.19.0 in version 4.20.0, probably containing bug fixes and performance improvements. Additionally, body-parser advances from 1.20.2 to 1.20.3, and serve-static jumps from 1.15.0 to 1.16.0. The encodeurl package updates from 1.0.2 to 2.0.0. Dependency updates like these typically bring enhanced security and performance improvements.
Developers should pay particular attention to the send, body-parser, serve-static and encodeurl updates, reviewing the changelogs for those packages to understand the specific changes and ensure compatibility with their existing code. The other dependencies are the same between the two versions, ensuring developers that the majority of the code will work in the same way. Both versions use the same development dependencies which means that the development experience will be very similar.
The release date also shows that version 4.20.0 is a more recent version of the package, which means it will contain the latest support.
All the vulnerabilities related to the version 4.20.0 of the package
cookie accepts cookie name, path, and domain with out of bounds characters
The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.
A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.
Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.
path-to-regexp contains a ReDoS
The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296
Upgrade to 0.1.12.
Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.
