Security updates

The list below enumerates the Express vulnerabilities that were fixed in the specified version update.

NOTE: If you believe you have discovered a security vulnerability in Express, please see Security Policies and Procedures.

4.x

• 4.11.1
  • Fixed root path disclosure vulnerability in express.static, res.sendfile, and res.sendFile
• 4.10.7
  • Fixed open redirect vulnerability in express.static (advisory, CVE-2015-1164).
• 4.8.8
  • Fixed directory traversal vulnerabilities in express.static (advisory , CVE-2014-6394).
• 4.8.4
  • Node.js 0.10 can leak fds in certain situations that affect express.static and res.sendfile. Malicious requests could cause fds to leak and eventually lead to EMFILE errors and server unresponsiveness.
• 4.8.0
  • Sparse arrays that have extremely high indexes in the query string could cause the process to run out of memory and crash the server.
  • Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.

3.x

• 3.19.1
  • Fixed root path disclosure vulnerability in express.static, res.sendfile, and res.sendFile
• 3.19.0
  • Fixed open redirect vulnerability in express.static (advisory, CVE-2015-1164).
• 3.16.10
  • Fixed directory traversal vulnerabilities in express.static.
• 3.16.6
  • Node.js 0.10 can leak fds in certain situations that affect express.static and res.sendfile. Malicious requests could cause fds to leak and eventually lead to EMFILE errors and server unresponsiveness.
• 3.16.0
  • Sparse arrays that have extremely high indexes in query string could cause the process to run out of memory and crash the server.
  • Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.
• 3.3.0
  • The 404 response of an unsupported method override attempt was susceptible to cross-site scripting attacks.