安全更新

¥Security updates

下面的列表列举了指定版本更新中修复的 Express 漏洞。

¥The list below enumerates the Express vulnerabilities that were fixed in the specified version update.

4.x {#4x}

• 4.21.2

  • 已更新依赖 path-to-regexp 以解决 vulnerability。

    ¥The dependency path-to-regexp has been updated to address a vulnerability.

• 4.21.1

  • 依赖 cookie 已更新为寻址 vulnerability，如果你使用 res.cookie，这可能会影响你的应用。

    ¥The dependency cookie has been updated to address a vulnerability, This may affect your application if you use res.cookie.

• 4.20.0

  • 修复了 res.redirect（advisory、CVE-2024-43796）中的 XSS 漏洞。

    ¥Fixed XSS vulnerability in res.redirect (advisory, CVE-2024-43796).

  • 已更新依赖 serve-static 以解决 vulnerability。

    ¥The dependency serve-static has been updated to address a vulnerability.

  • 已更新依赖 send 以解决 vulnerability。

    ¥The dependency send has been updated to address a vulnerability.

  • 已更新依赖 path-to-regexp 以解决 vulnerability。

    ¥The dependency path-to-regexp has been updated to address a vulnerability.

  • 依赖 body-parser 已更新为寻址 vulnerability，如果你已激活 url 编码，这可能会影响你的应用。

    ¥The dependency body-parser has been updated to addres a vulnerability, This may affect your application if you had url enconding activated.

• 4.19.0, 4.19.1

  • 修复了 res.location 和 res.redirect（advisory、CVE-2024-29041）中的开放重定向漏洞。

    ¥Fixed open redirect vulnerability in res.location and res.redirect (advisory, CVE-2024-29041).

• 4.17.3

  • 已更新依赖 qs 以解决 vulnerability。如果使用以下 API，这可能会影响你的应用：req.query, req.body, req.param.

    ¥The dependency qs has been updated to address a vulnerability. This may affect your application if the following APIs are used: req.query, req.body, req.param.

• 4.16.0

  • 已更新依赖 forwarded 以解决 vulnerability。如果使用以下 API，这可能会影响你的应用：req.host, req.hostname, req.ip, req.ips, req.protocol.

    ¥The dependency forwarded has been updated to address a vulnerability. This may affect your application if the following APIs are used: req.host, req.hostname, req.ip, req.ips, req.protocol.

  • 依赖 mime 已更新以解决 vulnerability，但此问题不会影响 Express。

    ¥The dependency mime has been updated to address a vulnerability, but this issue does not impact Express.

  • 已更新依赖 send 以提供针对 Node.js 8.5.0 漏洞 的保护。这只会影响在特定 Node.js 版本 8.5.0 上运行 Express。

    ¥The dependency send has been updated to provide a protection against a Node.js 8.5.0 vulnerability. This only impacts running Express on the specific Node.js version 8.5.0.

• 4.15.5

  • 依赖 debug 已更新以解决 vulnerability，但此问题不会影响 Express。

    ¥The dependency debug has been updated to address a vulnerability, but this issue does not impact Express.

  • 已更新依赖 fresh 以解决 vulnerability。如果使用以下 API，这将影响你的应用：express.static, req.fresh, res.json, res.jsonp, res.send, res.sendfile res.sendFile, res.sendStatus.

    ¥The dependency fresh has been updated to address a vulnerability. This will affect your application if the following APIs are used: express.static, req.fresh, res.json, res.jsonp, res.send, res.sendfile res.sendFile, res.sendStatus.

• 4.15.3

  • 已更新依赖 ms 以解决 vulnerability。如果将不受信任的字符串输入传递给以下 API 中的 maxAge 选项，这可能会影响你的应用：express.static、res.sendfile 和 res.sendFile。

    ¥The dependency ms has been updated to address a vulnerability. This may affect your application if untrusted string input is passed to the maxAge option in the following APIs: express.static, res.sendfile, and res.sendFile.

• 4.15.2

  • 依赖 qs 已更新以解决 vulnerability，但此问题不会影响 Express。更新到 4.15.2 是一个很好的做法，但不是解决漏洞所必需的。

    ¥The dependency qs has been updated to address a vulnerability, but this issue does not impact Express. Updating to 4.15.2 is a good practice, but not required to address the vulnerability.

• 4.11.1

  • 修复了 express.static、res.sendfile 和 res.sendFile 中的根路径泄露漏洞

    ¥Fixed root path disclosure vulnerability in express.static, res.sendfile, and res.sendFile

• 4.10.7

  • 修复了 express.static（advisory、CVE-2015-1164）中的开放重定向漏洞。

    ¥Fixed open redirect vulnerability in express.static (advisory, CVE-2015-1164).

• 4.8.8

  • 修复了 express.static（advisory、CVE-2014-6394）中的目录遍历漏洞。

    ¥Fixed directory traversal vulnerabilities in express.static (advisory , CVE-2014-6394).

• 4.8.4

  • Node.js 0.10 在某些情况下可能会泄漏 fd，从而影响 express.static 和 res.sendfile。恶意请求可能导致 fd 泄漏，并最终导致 EMFILE 错误和服务器无响应。

    ¥Node.js 0.10 can leak fds in certain situations that affect express.static and res.sendfile. Malicious requests could cause fds to leak and eventually lead to EMFILE errors and server unresponsiveness.

• 4.8.0

  • 在查询字符串中具有极高索引的稀疏数组可能会导致进程耗尽内存并使服务器崩溃。

    ¥Sparse arrays that have extremely high indexes in the query string could cause the process to run out of memory and crash the server.

  • 极端嵌套的查询字符串对象可能会导致进程阻塞并使服务器暂时无响应。

    ¥Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.

3.x {#3x}

• 3.19.1

  • 修复了 express.static、res.sendfile 和 res.sendFile 中的根路径泄露漏洞

    ¥Fixed root path disclosure vulnerability in express.static, res.sendfile, and res.sendFile

• 3.19.0

  • 修复了 express.static（advisory、CVE-2015-1164）中的开放重定向漏洞。

    ¥Fixed open redirect vulnerability in express.static (advisory, CVE-2015-1164).

• 3.16.10

  • 修复了 express.static 中的目录遍历漏洞。

    ¥Fixed directory traversal vulnerabilities in express.static.

• 3.16.6

  • Node.js 0.10 在某些情况下可能会泄漏 fd，从而影响 express.static 和 res.sendfile。恶意请求可能导致 fd 泄漏，并最终导致 EMFILE 错误和服务器无响应。

    ¥Node.js 0.10 can leak fds in certain situations that affect express.static and res.sendfile. Malicious requests could cause fds to leak and eventually lead to EMFILE errors and server unresponsiveness.

• 3.16.0

  • 在查询字符串中具有极高索引的稀疏数组可能会导致进程耗尽内存并使服务器崩溃。

    ¥Sparse arrays that have extremely high indexes in query string could cause the process to run out of memory and crash the server.

  • 极端嵌套的查询字符串对象可能会导致进程阻塞并使服务器暂时无响应。

    ¥Extremely nested query string objects could cause the process to block and make the server unresponsive temporarily.

• 3.3.0

  • 不受支持的方法覆盖尝试的 404 响应容易受到跨站点脚本攻击。

    ¥The 404 response of an unsupported method override attempt was susceptible to cross-site scripting attacks.