express

No Charset in Content-Type Header

Severity: moderate

Overview

Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

Remediation

For express 3.x, update express to version 3.11 or later. For express 4.x, update express to version 4.5 or later.

Vulnerable versions

0.14.0
8 years ago
0.14.1
8 years ago
1.0.0
8 years ago
1.0.1
8 years ago
1.0.2
8 years ago
1.0.3
8 years ago
1.0.4
8 years ago
1.0.5
8 years ago
1.0.6
8 years ago
1.0.7
8 years ago
1.0.8
7 years ago
2.0.0
7 years ago
2.1.0
7 years ago
2.1.1
7 years ago
2.2.0
7 years ago
2.2.1
7 years ago
2.2.2
7 years ago
2.3.0
7 years ago
2.3.1
7 years ago
2.3.2
7 years ago
2.3.3
7 years ago
2.3.4
7 years ago
2.3.5
7 years ago
2.3.6
7 years ago
2.3.7
7 years ago
2.3.8
7 years ago
2.3.9
7 years ago
2.3.10
7 years ago
2.3.11
7 years ago
2.3.12
7 years ago
2.4.0
7 years ago
2.4.1
7 years ago
2.4.2
7 years ago
2.4.3
7 years ago
2.4.4
7 years ago
2.4.5
7 years ago
2.4.6
7 years ago
2.4.7
7 years ago
2.5.0
7 years ago
2.5.1
7 years ago
2.5.2
7 years ago
2.5.3
7 years ago
2.5.4
7 years ago
2.5.5
7 years ago
2.5.6
7 years ago
2.5.7
7 years ago
2.5.8
7 years ago
2.5.9
6 years ago
2.5.10
6 years ago
2.5.11
6 years ago
3.0.0
6 years ago
3.0.1
6 years ago
3.0.2
6 years ago
3.0.3
6 years ago
3.0.4
6 years ago
3.0.5
6 years ago
3.0.6
6 years ago
3.1.0
6 years ago
3.1.1
5 years ago
3.1.2
5 years ago
3.2.0
5 years ago
3.2.1
5 years ago
3.2.2
5 years ago
3.2.3
5 years ago
3.2.4
5 years ago
3.2.5
5 years ago
3.2.6
5 years ago
3.3.0
5 years ago
3.3.1
5 years ago
3.3.2
5 years ago
3.3.3
5 years ago
3.3.4
5 years ago
3.3.5
5 years ago
3.3.6
5 years ago
3.3.7
5 years ago
3.3.8
5 years ago
3.4.0
5 years ago
3.4.1
5 years ago
3.4.2
5 years ago
3.4.3
5 years ago
3.4.4
5 years ago
3.4.5
5 years ago
3.4.6
5 years ago
3.4.7
5 years ago
3.4.8
5 years ago
3.5.0
4 years ago
3.5.1
4 years ago
4.0.0
4 years ago
3.5.2
4 years ago
4.1.0
4 years ago
4.1.1
4 years ago
3.5.3
4 years ago
4.1.2
4 years ago
3.6.0
4 years ago
4.2.0
4 years ago
3.7.0
4 years ago
3.8.0
4 years ago
4.3.0
4 years ago
4.3.1
4 years ago
3.8.1
4 years ago
4.3.2
4 years ago
3.9.0
4 years ago
4.4.0
4 years ago
4.4.1
4 years ago
3.10.0
4 years ago
3.10.1
4 years ago
3.10.2
4 years ago
3.10.3
4 years ago
3.10.4
4 years ago
4.4.2
4 years ago
3.10.5
4 years ago
4.4.3
4 years ago
4.4.4
4 years ago
4.4.5
4 years ago

Unaffected versions

2.0.0-pre
7 years ago
1.0.0-beta
5 years ago
1.0.0-beta2
5 years ago
1.0.0-rc
5 years ago
1.0.0-rc2
5 years ago
1.0.0-rc3
5 years ago
1.0.0-rc4
5 years ago
2.0.0-beta
5 years ago
2.0.0-beta2
5 years ago
2.0.0-beta3
5 years ago
2.0.0-rc
5 years ago
2.0.0-rc2
5 years ago
2.0.0-rc3
5 years ago
3.0.0-alpha1
5 years ago
3.0.0-alpha2
5 years ago
3.0.0-alpha3
5 years ago
3.0.0-alpha4
5 years ago
3.0.0-alpha5
5 years ago
3.0.0-beta1
5 years ago
3.0.0-beta2
5 years ago
3.0.0-beta3
5 years ago
3.0.0-beta4
5 years ago
3.0.0-beta6
5 years ago
3.0.0-beta7
5 years ago
3.0.0-rc1
5 years ago
3.0.0-rc2
5 years ago
3.0.0-rc3
5 years ago
3.0.0-rc4
5 years ago
3.0.0-rc5
5 years ago
4.0.0-rc1
4 years ago
4.0.0-rc2
4 years ago
4.0.0-rc3
4 years ago
4.0.0-rc4
4 years ago
3.11.0
4 years ago
3.12.0
4 years ago
3.12.1
4 years ago
3.13.0
4 years ago
4.5.0
4 years ago
4.5.1
4 years ago
3.14.0
4 years ago
4.6.0
4 years ago
4.6.1
4 years ago
3.15.0
4 years ago
4.7.0
4 years ago
3.15.1
4 years ago
4.7.1
4 years ago
3.15.2
4 years ago
4.7.2
4 years ago
4.7.3
4 years ago
3.15.3
4 years ago
4.7.4
4 years ago
3.16.0
4 years ago
4.8.0
4 years ago
3.16.1
4 years ago
4.8.1
4 years ago
3.16.2
4 years ago
4.8.2
4 years ago
3.16.3
4 years ago
3.16.4
4 years ago
4.8.3
4 years ago
3.16.5
4 years ago
3.16.6
4 years ago
4.8.4
4 years ago
3.16.7
4 years ago
4.8.5
4 years ago
3.16.8
4 years ago
4.8.6
4 years ago
3.16.9
4 years ago
4.8.7
4 years ago
3.16.10
4 years ago
4.8.8
4 years ago
3.17.0
4 years ago
3.17.1
4 years ago
4.9.0
4 years ago
3.17.2
4 years ago
4.9.1
4 years ago
4.9.2
4 years ago
3.17.3
4 years ago
4.9.3
4 years ago
3.17.4
4 years ago
4.9.4
4 years ago
3.17.5
4 years ago
4.9.5
4 years ago
3.17.6
4 years ago
3.17.7
4 years ago
4.9.6
4 years ago
4.9.7
4 years ago
3.17.8
4 years ago
4.9.8
4 years ago
3.18.0
4 years ago
3.18.1
4 years ago
4.10.0
4 years ago
3.18.2
4 years ago
4.10.1
4 years ago
5.0.0-alpha.1
4 years ago
3.18.3
4 years ago
4.10.2
4 years ago
3.18.4
4 years ago
4.10.3
4 years ago
4.10.4
4 years ago
4.10.5
4 years ago
3.18.5
4 years ago
3.18.6
4 years ago
4.10.6
4 years ago
4.10.7
4 years ago
3.19.0
4 years ago
4.10.8
4 years ago
4.11.0
4 years ago
3.19.1
4 years ago
4.11.1
4 years ago
3.19.2
4 years ago
4.11.2
4 years ago
3.20.0
3 years ago
4.12.0
3 years ago
3.20.1
3 years ago
4.12.1
3 years ago
4.12.2
3 years ago
3.20.2
3 years ago
4.12.3
3 years ago
3.20.3
3 years ago
4.12.4
3 years ago
3.21.0
3 years ago
4.13.0
3 years ago
3.21.1
3 years ago
4.13.1
3 years ago
5.0.0-alpha.2
3 years ago
3.21.2
3 years ago
4.13.2
3 years ago
4.13.3
3 years ago
4.13.4
3 years ago
4.14.0
2 years ago
4.14.1
2 years ago
5.0.0-alpha.3
2 years ago
4.15.0
a year ago
5.0.0-alpha.4
a year ago
4.15.1
a year ago
4.15.2
a year ago
5.0.0-alpha.5
a year ago
4.15.3
a year ago
4.15.4
a year ago
4.15.5
a year ago
5.0.0-alpha.6
a year ago
4.16.0
a year ago
4.16.1
a year ago
4.16.2
10 months ago
4.16.3
5 months ago

Advisory timeline

  1. Published

    Advisory published
    Sep 12th, 2014
  2. Reported

    Initial report by Paweł Hałdrzyński
    Oct 17th, 2015