Found a security issue. How can I report?
ZeddYu
All 3 comments
Report to my email: https://github.com/expressjs/express/blob/master/package.json#L9
dougwilson
on 6 Dec 2019
Just a heads-up, based on your GitHub activity, it's possible you may be about to report a vulnerability in Node.js itself, and not Express. I will absolutely take a look no matter what, but you may want to make sure the vulnerability lies in express vs Node.js (i.e. the Node.js HTTP module https://nodejs.org/dist/latest-v12.x/docs/api/http.html) as it does all HTTP request parsing prior to arriving at Express for processing.
dougwilson
on 6 Dec 2019
For an update here, I got the report today from @ZeddYu and indeed it is not an Express security issue, but an issue with the HTTP parsing in Node.js core http module. I believe this issue has also been reported to Node.js as well based on their HackerOne activity, so there should be Node.js releases at some point to address this report. No changes would be made to Express as it is not performing the vulnerable activity, but instead surfacing what Node.js core is doing like any other Node.js-based HTTP framework.
@wesleytodd
dougwilson
on 11 Dec 2019
Related issues
Sunriselegacy
路
3Comments
HafidAbnaou
路
3Comments
dmaks9
路
3Comments
guyisra
路
3Comments
wxs77577
路
3Comments
Most helpful comment
For an update here, I got the report today from @ZeddYu and indeed it is not an Express security issue, but an issue with the HTTP parsing in Node.js core
httpmodule. I believe this issue has also been reported to Node.js as well based on their HackerOne activity, so there should be Node.js releases at some point to address this report. No changes would be made to Express as it is not performing the vulnerable activity, but instead surfacing what Node.js core is doing like any other Node.js-based HTTP framework.@wesleytodd