Express: vulnerability detected in express 4.17.1

Created on 31 Oct 2019  路  3Comments  路  Source: expressjs/express

Hi,
we are getting sonatype-2013-0159 vulnerability in express 4.17.1
Is there any non vulnerable version (non-beta) available or about to be released.
Or is there any recommendation on how we can avoid this issue.

invalid
Source
picture prashantLio
👎1

All 3 comments

Hello, we are not aware of any outstanding vulnerabilities. I'm not even sure what "sonatype-2013-0159" means. If you can provide more details so we can understand the vulnerability and what we need to do to address it, please share in accordance with our security policy: https://github.com/expressjs/express/blob/master/Security.md

dougwilson picture dougwilson on 31 Oct 2019
👍1

The express package contains an Infinite Loop vulnerability. The param function in index.js uses recursion and does not handle "undefined" status codes properly. This can lead to an infinite loop under certain situations and cause the application to hang or crash, resulting in Denial of Service (DoS).

you already have a issue on this... https://github.com/expressjs/express/issues/1623

Can you please conclude how to get over this vulnerability. is this express problem or node issue??

prashantLio picture prashantLio on 1 Nov 2019
😕1

That issue was fixed in 2013. If you think there is still an issue there, please provide a reproduction case of the exploit in accordance with our security policy: https://github.com/expressjs/express/blob/master/Security.md

dougwilson picture dougwilson on 1 Nov 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zackarychapple picture zackarychapple  路  3Comments
dmaks9 picture dmaks9  路  3Comments
Sunriselegacy picture Sunriselegacy  路  3Comments
snowdream picture snowdream  路  3Comments
AndrewEQ picture AndrewEQ  路  4Comments