Express: vulnerability detected in express 4.17.1

Created on 31 Oct 2019  路  3Comments  路  Source: expressjs/express

Hi,
we are getting sonatype-2013-0159 vulnerability in express 4.17.1
Is there any non vulnerable version (non-beta) available or about to be released.
Or is there any recommendation on how we can avoid this issue.

invalid
Source
picture prashantLio
👎1

All 3 comments

Hello, we are not aware of any outstanding vulnerabilities. I'm not even sure what "sonatype-2013-0159" means. If you can provide more details so we can understand the vulnerability and what we need to do to address it, please share in accordance with our security policy: https://github.com/expressjs/express/blob/master/Security.md

dougwilson picture dougwilson on 31 Oct 2019
👍1

The express package contains an Infinite Loop vulnerability. The param function in index.js uses recursion and does not handle "undefined" status codes properly. This can lead to an infinite loop under certain situations and cause the application to hang or crash, resulting in Denial of Service (DoS).

you already have a issue on this... https://github.com/expressjs/express/issues/1623

Can you please conclude how to get over this vulnerability. is this express problem or node issue??

prashantLio picture prashantLio on 1 Nov 2019
😕1

That issue was fixed in 2013. If you think there is still an issue there, please provide a reproduction case of the exploit in accordance with our security policy: https://github.com/expressjs/express/blob/master/Security.md

dougwilson picture dougwilson on 1 Nov 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ER-GAIBI picture ER-GAIBI  路  3Comments
HafidAbnaou picture HafidAbnaou  路  3Comments
guyisra picture guyisra  路  3Comments
extensionsapp picture extensionsapp  路  3Comments
haider0324 picture haider0324  路  3Comments