express-4.16.4.tgz: 2 vulnerabilities (highest severity is: 5.3) [main] #34
Description
📂 Vulnerable Library - express-4.16.4.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.16.4.tgz
Path to dependency file: /package.json
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-51999 | 🟠 Medium | 5.3 | N/A | N/A | express-4.16.4.tgz | Direct | N/A | ❌ | |
| CVE-2024-10491 | 🟠 Medium | 4.0 | Not Defined | < 1% | express-4.16.4.tgz | Direct | express - 4.0.0-rc1,express - 4.0.0-rc1 | ✅ |
Details
🟠CVE-2024-51999
Vulnerable Library - express-4.16.4.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.16.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ express-4.16.4.tgz (Vulnerable Library)
Vulnerability Details
Impact when using the extended query parser in express ("'query parser': 'extended'"), the "request.query" object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names «[!IMPORTANT] the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser» Patches the issue has been patched to ensure "request.query" is a plain object so "request.query" no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser Workaround this only impacts users using extended query parsing ("'query parser': 'extended'"), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue: provide "qs" directly and specify "plainObjects: true" app.set('query parser', function (str) { return qs.parse(str, { plainObjects: true }); });
Publish Date: Dec 02, 2025 03:01 AM
URL: CVE-2024-51999
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2024-10491
Vulnerable Library - express-4.16.4.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.16.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ express-4.16.4.tgz (Vulnerable Library)
Vulnerability Details
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in "Link" header values, which can allow a combination of characters like ",", ";", and "<>" to preload malicious resources.
This vulnerability is especially relevant for dynamic parameters.
Publish Date: Oct 29, 2024 04:23 PM
URL: CVE-2024-10491
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.0
Suggested Fix
Type: Upgrade version
Origin: GHSA-cm5g-3pgc-8rg4
Release Date: Oct 29, 2024 04:23 PM
Fix Resolution : express - 4.0.0-rc1,express - 4.0.0-rc1