Severity: moderate

No Charset in Content-Type Header



Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.


For express 3.x, update express to version 3.11 or later. For express 4.x, update express to version 4.5 or later.

Advisory timeline

  1. reported

    Oct 17th, 2015
  2. published

    Advisory published
    Sep 12th, 2014