Skip to content

Update dependency express to v4.20.0 [SECURITY]#514

Closed
renovate[bot] wants to merge 634 commits into
masterfrom
renovate/npm-express-vulnerability
Closed

Update dependency express to v4.20.0 [SECURITY]#514
renovate[bot] wants to merge 634 commits into
masterfrom
renovate/npm-express-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 29, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
express (source) 4.18.24.20.0 age confidence

express vulnerable to XSS via response.redirect()

CVE-2024-43796 / GHSA-qw6h-vgh9-j6wx

More information

Details

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Express.js Open Redirect in malformed URLs

CVE-2024-29041 / GHSA-rv95-896h-c2vc

More information

Details

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

Resources

https://github.com/expressjs/express/pull/5539
https://github.com/koajs/koa/issues/1800
https://expressjs.com/en/4x/api.html#res.location

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

expressjs/express (express)

v4.20.0

Compare Source

==========

  • deps: serve-static@​0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@​0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@​0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@​0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

v4.19.2

Compare Source

==========

  • Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

  • Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

==========

  • Prevent open redirect allow list bypass due to encodeurl
  • deps: cookie@​0.6.0

v4.18.3

Compare Source

==========

  • Fix routing requests without method
  • deps: body-parser@​1.20.2
    • Fix strict json error message on Node.js 19+
    • deps: content-type@~1.0.5
    • deps: raw-body@​2.5.2
  • deps: cookie@​0.6.0
    • Add partitioned option

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Neo Technology Build Agent and others added 30 commits October 22, 2020 09:38
Merge branch 'release'
a9fd803
Publish
a27d760 
 - @relate/electron@1.0.2-alpha.16
 - @relate/web@1.0.2-alpha.16
Merge branch 'release'
2d5fd6b
@huboneo
Feature public extensions (#218)
c0c5f6a 
* now using public NPM registry

* added extension verification with code-signer

* additional output to ext:list

* refactored extension discovery to use cascading defaults from package.json if not in manifest

* Allow installing tarballs from URL
- bugfix broken code signature for static packages
- remove cache entry when installing from file or URL

* fix broken TestExtensions

* changes from review

* address case where version as path is passed but no name

* fix flaky windows tests
@nglgzz
Fix package locks on publish (#222)
8e816a1 
* Sync package locks on publish

* Fix package locks

* Fix npm audit issues
@huboneo
Feature remote STATIC extensions (#223)
a5b6ae7 
* Updated relate client parameters and added support for remote STATIC apps

* fix broken test

* disable concurrent tests again

* changes from review
@nglgzz
Add xvfb script for Docker tests (#224)
6931218 
* Fix setup script hanging on errors

* Add xvfb script for Docker tests
@akollegger
db:exec query handling (#217)
612d4c8 
* fix(cli): db:exec allow nameOrId, append missing semicolon, reduce extra output
* fix(cli): removed extra, conflicting @oclif/errors dependency
* fix(common): input stream to cypher-shell may be a string or a raw buffer
* fix(cli): create test project, populate with test cypher for db:exec testing
* fix(common): all dbs.local operations accept nameOrId
@huboneo
Rfc relate client (#225)
fdb0c7f 
* created relate client RFC

* added link to PR

* update RFC
@nglgzz
Add server status to infoDbmss, make all CLI flags camel case (#227)
2228921 
* Web: add online check and server status to infoDbmss

* CLI: make flag casing consistent across commands

And add onlineCheck flag to dbms:info

* CLI: remove duplicate calls to dbmss.info

* CLI: fix docs links
common/extensions install and web/extensions.e2e tests (#219)
f32d9df
@huboneo
Chore separate access token files (#226)
f5d6442 
* now saving access tokens in separate files

* changes from review

* added dump logs for better debugging

* banned TS type assertions and updated linter
add force flag for overwriting project files (#228)
33b4fda
@huboneo
Update @relate/types readme links
32c513d
@huboneo
Cleaned up backup.local implementation (#230)
88979d3
@huboneo
create separate env dirs when creating new envs (#229)
c24602e 
* create separate env dirs when creating new envs

* fix failing tests

* fix rebase conflict

* fix access token storage path, improved teardown cleanup

* removed yargs from common

* remove yargs and revert to backward compatible dataPath

* refactored modules to be dynamic, removing the need for environment variables to accurately load extensions

* Return of the global config, much better

* systemProvider createEnv and getEnv tests

* pass config to load property in system provider test

Co-authored-by: Hugo Bove <hugo.bove@neotechnology.com>
@nglgzz
Add manifest entity to abstract common logic (#231)
f4912f9 
* Update table fields on environment:list

* Add manifest entity

* Add manifest entity to DBMSs

* Add manifest entity to projects

* Rename model files, make manifest readonly

* Add manifest tests

* Add util to get manifest name

* Fix broken import
@huboneo
Update relate-client.rfc.md
bc21173
@huboneo
Update relate-extensions.rfc.md
5c61537
@nglgzz
Add metadata field to entity manifests (#232)
529df71 
* Types: add Dict.assign

* Add metadata to entity manifest

* CLI: update output to include metadata

* Allow passing multiple keys to Dict.omit

* Update signature of metadata methods
@nglgzz
Update docs and bump code-signer (#233)
a2bb033 
* Update docs

* Bump code signer
add is-symlink check and update project and dbms link logic (#234)
5b9f477
ensure global Relate data path exists before write file (#235)
f9146b3
@nglgzz
Start running tests in separate environments (#237)
870763a 
* Create test util to create environments

* Start running tests in separate environments

* Disallow new expression with TestEnvironment
@nglgzz
Refactor dbmss.link and projects.link (#236)
0b0a2e9 
* Add method to unlink projects

* Make nameOrId argument consistent across project operations

* Fix broken links showing as existing projects

* Refactor dbmss.link and projects.link

* Add more link tests

* Update CLI commands

* Update docs

* Fix broken tests

* Always set encoding when reading or writing JSON
@nglgzz
Add resolvers for getting/setting/removing metadata and tags (#238)
a87e180 
* Copy import folder on DBMS upgrades

* Allow getting, setting, and removing metadata from WebModule

* Add tests
Publish
621ccac 
 - @relate/cli@1.0.2-alpha.16
 - @relate/client@1.0.2-alpha.11
 - @relate/common@1.0.2-alpha.16
 - @relate/electron@1.0.2-alpha.17
 - @relate/types@1.0.2-alpha.11
 - @relate/web@1.0.2-alpha.17
@nglgzz
Add flag for merging fields on manifest update (#241)
c593414
Publish
a50238c 
 - @relate/cli@1.0.2-alpha.17
 - @relate/common@1.0.2-alpha.17
 - @relate/electron@1.0.2-alpha.18
 - @relate/web@1.0.2-alpha.18
@linuslundahl
Install sample projects (#245)
33f4595
@linuslundahl @github-actions
Version Packages (#520)
3a6a298 
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/npm-express-vulnerability branch from 27701bd to f6402f8 Compare August 10, 2025 13:48
@renovate renovate Bot changed the title fix(deps): update dependency express to v4.20.0 [security] fix(deps): update dependency express to v4.22.0 [security] Dec 1, 2025
@renovate renovate Bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from 4d9e6a7 to 8d187e5 Compare December 2, 2025 18:13
@renovate renovate Bot changed the title fix(deps): update dependency express to v4.22.0 [security] fix(deps): update dependency express to v4.20.0 [security] Dec 2, 2025
@renovate renovate Bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from 0591869 to 7dd53fd Compare January 23, 2026 17:45
@renovate renovate Bot force-pushed the renovate/npm-express-vulnerability branch from 7dd53fd to f2a51c9 Compare February 12, 2026 18:02
@renovate renovate Bot changed the title fix(deps): update dependency express to v4.20.0 [security] fix(deps): update dependency express to v4.20.0 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-express-vulnerability branch March 27, 2026 02:05
@renovate renovate Bot changed the title fix(deps): update dependency express to v4.20.0 [security] - autoclosed fix(deps): update dependency express to v4.20.0 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from f2a51c9 to 023ffb3 Compare March 30, 2026 18:14
@renovate renovate Bot force-pushed the renovate/npm-express-vulnerability branch from 023ffb3 to df347c5 Compare April 8, 2026 17:45
@renovate renovate Bot changed the title fix(deps): update dependency express to v4.20.0 [security] Update dependency express to v4.20.0 [SECURITY] Apr 8, 2026
@renovate renovate Bot changed the title Update dependency express to v4.20.0 [SECURITY] Update dependency express to v4.20.0 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency express to v4.20.0 [SECURITY] - autoclosed Update dependency express to v4.20.0 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-express-vulnerability branch 3 times, most recently from 72f2416 to e6396cb Compare April 29, 2026 20:04
@renovate renovate Bot force-pushed the renovate/npm-express-vulnerability branch from e6396cb to c274622 Compare May 28, 2026 20:02
@renovate

renovate Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (4.20.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@linuslundahl @huboneo @nglgzz @akollegger @emmaagh @team-devtools-bot