¥Security updates
Node.js 漏洞直接影响 Express。因此,密切关注 Node.js 漏洞 并确保你使用的是最新稳定版本的 Node.js。
¥Node.js vulnerabilities directly affect Express. Therefore, keep a watch on Node.js vulnerabilities and make sure you are using the latest stable version of Node.js.
下面的列表列举了指定版本更新中修复的 Express 漏洞。
¥The list below enumerates the Express vulnerabilities that were fixed in the specified version update.
注意:如果你认为你在 Express 中发现了安全漏洞,请参阅 安全政策和程序。
¥NOTE: If you believe you have discovered a security vulnerability in Express, please see Security Policies and Procedures.
4.16.0
已更新依赖 forwarded
以解决 vulnerability。如果使用以下 API,这可能会影响你的应用:req.host
, req.hostname
, req.ip
, req.ips
, req.protocol
.
¥The dependency forwarded
has been updated to address a vulnerability. This may affect your application if the following APIs are used: req.host
, req.hostname
, req.ip
, req.ips
, req.protocol
.
依赖 mime
已更新以解决 vulnerability,但此问题不会影响 Express。
¥The dependency mime
has been updated to address a vulnerability, but this issue does not impact Express.
已更新依赖 send
以提供针对 Node.js 8.5.0 漏洞 的保护。这只会影响在特定 Node.js 版本 8.5.0 上运行 Express。
¥The dependency send
has been updated to provide a protection against a Node.js 8.5.0 vulnerability. This only impacts running Express on the specific Node.js version 8.5.0.
4.15.5
依赖 debug
已更新以解决 vulnerability,但此问题不会影响 Express。
¥The dependency debug
has been updated to address a vulnerability, but this issue does not impact Express.
已更新依赖 fresh
以解决 vulnerability。如果使用以下 API,这将影响你的应用:express.static
, req.fresh
, res.json
, res.jsonp
, res.send
, res.sendfile
res.sendFile
, res.sendStatus
.
¥The dependency fresh
has been updated to address a vulnerability. This will affect your application if the following APIs are used: express.static
, req.fresh
, res.json
, res.jsonp
, res.send
, res.sendfile
res.sendFile
, res.sendStatus
.
4.15.3
已更新依赖 ms
以解决 vulnerability。如果将不受信任的字符串输入传递给以下 API 中的 maxAge
选项,这可能会影响你的应用:express.static
、res.sendfile
和 res.sendFile
。
¥The dependency ms
has been updated to address a vulnerability. This may affect your application if untrusted string input is passed to the maxAge
option in the following APIs: express.static
, res.sendfile
, and res.sendFile
.
4.15.2
依赖 qs
已更新以解决 vulnerability,但此问题不会影响 Express。更新到 4.15.2 是一个很好的做法,但不是解决漏洞所必需的。
¥The dependency qs
has been updated to address a vulnerability, but this issue does not impact Express. Updating to 4.15.2 is a good practice, but not required to address the vulnerability.
4.11.1
修复了 express.static
、res.sendfile
和 res.sendFile
中的根路径泄露漏洞
¥Fixed root path disclosure vulnerability in express.static
, res.sendfile
, and res.sendFile
4.10.7
修复了 express.static
(advisory、CVE-2015-1164)中的开放重定向漏洞。
¥Fixed open redirect vulnerability in express.static
(advisory, CVE-2015-1164).
4.8.8
修复了 express.static
(advisory、CVE-2014-6394)中的目录遍历漏洞。
¥Fixed directory traversal vulnerabilities in express.static
(advisory , CVE-2014-6394).
4.8.4
Node.js 0.10 在某些情况下可能会泄漏 fd
,从而影响 express.static
和 res.sendfile
。恶意请求可能导致 fd
泄漏,并最终导致 EMFILE
错误和服务器无响应。
¥Node.js 0.10 can leak fd
s in certain situations that affect express.static
and res.sendfile
. Malicious requests could cause fd
s to leak and eventually lead to EMFILE
errors and server unresponsiveness.
4.8.0
在查询字符串中具有极高索引的稀疏数组可能会导致进程耗尽内存并使服务器崩溃。
¥Sparse arrays that have extremely high indexes in the query string could cause the process to run out of memory and crash the server.
极端嵌套的查询字符串对象可能会导致进程阻塞并使服务器暂时无响应。
¥Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.
Express 3.x 不再维护
¥Express 3.x IS NO LONGER MAINTAINED
自上次更新(2015 年 8 月 1 日)以来,3.x 中已知和未知的安全问题尚未得到解决。使用 3.x 行不应被认为是安全的。
¥Known and unknown security issues in 3.x have not been addressed since the last update (1 August, 2015). Using the 3.x line should not be considered secure.
3.19.1
修复了 express.static
、res.sendfile
和 res.sendFile
中的根路径泄露漏洞
¥Fixed root path disclosure vulnerability in express.static
, res.sendfile
, and res.sendFile
3.19.0
修复了 express.static
(advisory、CVE-2015-1164)中的开放重定向漏洞。
¥Fixed open redirect vulnerability in express.static
(advisory, CVE-2015-1164).
3.16.10
修复了 express.static
中的目录遍历漏洞。
¥Fixed directory traversal vulnerabilities in express.static
.
3.16.6
Node.js 0.10 在某些情况下可能会泄漏 fd
,从而影响 express.static
和 res.sendfile
。恶意请求可能导致 fd
泄漏,并最终导致 EMFILE
错误和服务器无响应。
¥Node.js 0.10 can leak fd
s in certain situations that affect express.static
and res.sendfile
. Malicious requests could cause fd
s to leak and eventually lead to EMFILE
errors and server unresponsiveness.
3.16.0
在查询字符串中具有极高索引的稀疏数组可能会导致进程耗尽内存并使服务器崩溃。
¥Sparse arrays that have extremely high indexes in query string could cause the process to run out of memory and crash the server.
极端嵌套的查询字符串对象可能会导致进程阻塞并使服务器暂时无响应。
¥Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.
3.3.0
不受支持的方法覆盖尝试的 404 响应容易受到跨站点脚本攻击。
¥The 404 response of an unsupported method override attempt was susceptible to cross-site scripting attacks.