Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

expressjs — Vulnerabilities & Security Advisories 13

Browse all 13 CVE security advisories affecting expressjs. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Express.js serves as a minimal and flexible Node.js web application framework for building server-side applications and APIs. Historically, it has been susceptible to common web vulnerabilities including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation, often stemming from middleware misconfigurations or input validation flaws. The framework's extensive middleware ecosystem has introduced security challenges, with 13 CVEs documented to date. Notable incidents include the 2018 "prototype pollution" vulnerability affecting multiple packages, demonstrating how core functionality can be compromised. While widely adopted, developers must carefully implement security measures to mitigate risks associated with its lightweight architecture and extensive plugin ecosystem.

Top products by expressjs: multer express serve-static body-parser basic-auth-connect
CVE IDTitleCVSSSeverityPublished
CVE-2026-3520 Multer vulnerable to Denial of Service via uncontrolled recursion — multerCWE-674 7.5 -2026-03-04
CVE-2026-3304 Multer vulnerable to Denial of Service via incomplete cleanup — multerCWE-459 7.5 -2026-02-27
CVE-2026-2359 Multer vulnerable to Denial of Service via resource exhaustion — multerCWE-772 7.5 -2026-02-27
CVE-2025-7338 Multer vulnerable to Denial of Service via unhandled exception from malformed request — multerCWE-248 7.5 High2025-07-17
CVE-2025-48997 Multer vulnerable to Denial of Service via unhandled exception — multerCWE-248 7.5 -2025-06-03
CVE-2025-47944 Multer vulnerable to Denial of Service from maliciously crafted requests — multerCWE-248 7.5 High2025-05-19
CVE-2025-47935 Multer vulnerable to Denial of Service via memory leaks from unclosed streams — multerCWE-401 7.5 High2025-05-19
CVE-2024-9266 Open Redirect — expressCWE-601 4.7 Medium2024-10-03
CVE-2024-47178 basic-auth-connect's callback uses time unsafe string comparison — basic-auth-connectCWE-208 3.7 -2024-09-30
CVE-2024-45590 body-parser vulnerable to denial of service when url encoding is enabled — body-parserCWE-405 7.5 High2024-09-10
CVE-2024-43800 serve-static affected by template injection that can lead to XSS — serve-staticCWE-79 5.0 Medium2024-09-10
CVE-2024-43796 express vulnerable to XSS via response.redirect() — expressCWE-79 5.0 Medium2024-09-10
CVE-2024-29041 Express.js Open Redirect in malformed URLs — expressCWE-601 6.1 Medium2024-03-25

This page lists every published CVE security advisory associated with expressjs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.