fix: handle NaN status codes by defaulting to 500

Ayoub-Mabrouk · Ayoub-Mabrouk · commit d2a6a26ac698 · 2025-11-22T18:02:19.000+01:00
Previously, when createError(NaN) was called, the status validation
would fail to catch NaN because typeof NaN === 'number' is true in
JavaScript. This resulted in errors with NaN status codes, which
could cause issues in downstream code.

This fix adds an explicit isNaN() check to the status validation
logic, ensuring that NaN status codes are properly caught and
defaulted to 500.

Additionally, a test case has been added to verify this behavior
and prevent regression.

Fixes: NaN status codes not being validated correctly
diff --git a/index.js b/index.js
@@ -73,7 +73,7 @@ function createError () {
     deprecate('non-error status code; use only 4xx or 5xx status codes')
   }
 
-  if (typeof status !== 'number' ||
+  if (typeof status !== 'number' || isNaN(status) ||
     (!statuses.message[status] && (status < 400 || status >= 600))) {
     status = 500
   }
diff --git a/test/test.js b/test/test.js
@@ -331,6 +331,15 @@ describe('HTTP Errors', function () {
     assert.strictEqual(err.expose, false)
   })
 
+  it('createError(NaN) should default to 500', function () {
+    var err = createError(NaN)
+    assert.strictEqual(err.name, 'InternalServerError')
+    assert.strictEqual(err.message, 'Internal Server Error')
+    assert.strictEqual(err.status, 500)
+    assert.strictEqual(err.statusCode, 500)
+    assert.strictEqual(err.expose, false)
+  })
+
   it('createError(err, props)', function () {
     var _err = new Error('LOL')
     _err.status = 404

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ function createError () {`
`73`	`73`	`deprecate('non-error status code; use only 4xx or 5xx status codes')`
`74`	`74`	`}`
`75`	`75`
`76`		`- if (typeof status !== 'number' \|\|`
	`76`	`+ if (typeof status !== 'number' \|\| isNaN(status) \|\|`
`77`	`77`	`(!statuses.message[status] && (status < 400 \|\| status >= 600))) {`
`78`	`78`	`status = 500`
`79`	`79`	`}`