Express: Statement on "mime" module NSP/Snyk advisory
I am creating this post before issues start arriving on this. The security vendors have posted an advisory on the "mime" module (https://snyk.io/vuln/npm:mime:20170907 and https://nodesecurity.io/advisories/535), which will be flagged in current versions of Express.js (4.15.5 is the current version at this time).
Express.js is not vulnerable to the issue identified in the "mime" module
We are working to get a release of Express.js out that includes the updated module, but the patch for the module is on top of semver-minor changes to the module, so the update is part of the Express.js 4.16 release, which is targeted for Monday, Oct 2.
dougwilson
All 5 comments
For those who are coming here / may have already subscribed: I am looking into the logistics to accelerate the Express 4.16 release to potentially tomorrow, Thursday Sep 28, which would allow this to get in earlier.
As a reminder, this module does not introduce a vulnerability in Express.
The security systems simply check module version numbers, they do not assess, for example, if (a) the affected API is actually being used nor (b) if the API usage can actually result in a security exploit.
For some details around the usage of this module in Express.js, the exploit is dependent on unbounded user into into a specific API method of the mime module. From my assessment based on provided PoCs, it is not possible to exploit the underlying mime API usage through Express and it's dependencies.
_This does not mean we don't take this seriously and don't want to upgrade the dependency ASAP_. Since the dependency is woven into how Express functions and the patch is only available in a lineage in which upgrading will cause semver-minor changes to Express.js, it cannot be released as a part of an Express 4.15.x patch release.
We are working to get this out quickly without sacrificing the quality of the delivered release. The mime module was patched less than 2 days ago (from Sep 27) and the security vendors just released the advisories today (Sep 27).
dougwilson
on 27 Sep 2017
For those who continue to stop by, I would like to say thank you for your patience while we work hard on getting Express 4.16 out the door multiple days early in order to deliver you a version of Express with the mime module as soon as possible.
dougwilson
on 28 Sep 2017
Just wanted to provide everyone an update: 4.16 is going well, and now that is it Thursday, Sep 28 the release is coming up very soon 馃帀 And in case you didn't know, minor releases are done & staged in the open in pull requests, with #3423 the staging pull request for Express 4.16 which you can follow along with if you wanted to know where we are at.
dougwilson
on 28 Sep 2017
The Express.js 4.16.0 release is commit-complete now, just waiting for CI and some other misc. checks, but I would expect it to get released within an hour now 馃帀
dougwilson
on 28 Sep 2017
Express.js 4.16.0 is out now with the updated dependency 馃帀
dougwilson
on 28 Sep 2017
Related issues
cuni0716
路
3Comments
jefflage
路
4Comments
AndrewEQ
路
4Comments
haider0324
路
3Comments
snowdream
路
3Comments
Most helpful comment
For those who continue to stop by, I would like to say thank you for your patience while we work hard on getting Express 4.16 out the door multiple days early in order to deliver you a version of Express with the
mimemodule as soon as possible.