Skip to content

chore(deps): update dependency express to v4.20.0 [security]#267

Open
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/npm-express-vulnerability
Open

chore(deps): update dependency express to v4.20.0 [security]#267
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/npm-express-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 28, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
express (source) 4.19.24.20.0 age confidence

GitHub Vulnerability Alerts

CVE-2024-43796

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template

Release Notes

expressjs/express (express)

v4.20.0

Compare Source

==========

  • deps: serve-static@​0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@​0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@​0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@​0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 28, 2024
@renovate
Copy link
Contributor Author

renovate bot commented Mar 28, 2024

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 6d71069 to fac9979 Compare March 28, 2024 22:49
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from 3a12ded to ab95ec6 Compare April 6, 2024 02:33
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 3 times, most recently from 23088c6 to 32120cf Compare May 13, 2024 08:08
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from 9a405f8 to 5079046 Compare May 21, 2024 11:07
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 4 times, most recently from fca98aa to 5878f3a Compare June 12, 2024 03:04
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 3 times, most recently from b0e0a6a to 05a036b Compare June 17, 2024 05:13
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from 8f26fb9 to d9ec2f6 Compare June 28, 2024 16:47
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from d7d5709 to adbf744 Compare July 16, 2024 06:40
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from adbf744 to 670a96d Compare September 17, 2024 17:05
@renovate renovate bot changed the title fix(deps): update dependency express to v4.19.2 [security] fix(deps): update dependency express to v4.20.0 [security] Sep 17, 2024
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 670a96d to faa495c Compare September 21, 2024 10:17
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from faa495c to 76d9efd Compare October 4, 2024 02:20
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 4 times, most recently from 8b87192 to a860242 Compare November 4, 2024 11:36
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from a860242 to ef15393 Compare November 5, 2024 04:07
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 141c6c9 to 624a866 Compare March 25, 2025 16:13
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 3 times, most recently from ce22123 to 8085c34 Compare April 11, 2025 01:50
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 8085c34 to a6ad2cc Compare May 4, 2025 11:26
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from bfc0d37 to 06a483f Compare May 27, 2025 13:45
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 4 times, most recently from 53ebe00 to c282a23 Compare June 21, 2025 05:10
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from c282a23 to 8d03061 Compare June 25, 2025 05:19
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from ad52a04 to 5ae1d8a Compare July 11, 2025 05:10
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 5ae1d8a to fb95bb9 Compare September 25, 2025 21:36
@renovate renovate bot changed the title fix(deps): update dependency express to v4.20.0 [security] chore(deps): update dependency express to v4.20.0 [security] Sep 25, 2025
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from a80b52c to 92ee9bf Compare November 21, 2025 15:58
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 92ee9bf to 3c5d8b0 Compare December 1, 2025 19:55
@renovate renovate bot changed the title chore(deps): update dependency express to v4.20.0 [security] chore(deps): update dependency express [security] Dec 1, 2025
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 3c5d8b0 to 29ef151 Compare December 2, 2025 17:43
@renovate renovate bot changed the title chore(deps): update dependency express [security] chore(deps): update dependency express to v4.20.0 [security] Dec 2, 2025
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 29ef151 to 7dfad0f Compare February 12, 2026 11:27
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from 68b5673 to 7b5ea34 Compare March 20, 2026 03:24
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 7b5ea34 to 250f6a9 Compare March 20, 2026 03:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants