CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47944 – Multer vulnerable to Denial of Service from maliciously crafted requests
https://notcve.org/view.php?id=CVE-2025-47944
19 May 2025 — Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available. • https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665 • CWE-248: Uncaught Exception •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47935 – Multer vulnerable to Denial of Service via memory leaks from unclosed streams
https://notcve.org/view.php?id=CVE-2025-47935
19 May 2025 — Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manua... • https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9266 – Open Redirect
https://notcve.org/view.php?id=CVE-2024-9266
03 Oct 2024 — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. This issue impacts Express: from 3.4.5 before 4.0.0. • https://www.herodevs.com/vulnerability-directory/cve-2024-9266 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47178 – basic-auth-connect's callback uses time unsafe string comparison
https://notcve.org/view.php?id=CVE-2024-47178
30 Sep 2024 — basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0. • https://github.com/expressjs/basic-auth-connect/commit/bac1e6a8530e1efd0028800b9b588a37adb0d203 • CWE-208: Observable Timing Discrepancy •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45590 – body-parser vulnerable to denial of service when url encoding is enabled
https://notcve.org/view.php?id=CVE-2024-45590
10 Sep 2024 — body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3. A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled. • https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce • CWE-405: Asymmetric Resource Consumption (Amplification) •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43800 – serve-static affected by template injection that can lead to XSS
https://notcve.org/view.php?id=CVE-2024-43800
10 Sep 2024 — serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0. serve-static sirve archivos estáticos. serve-static pasa información de usuario no confiable (incluso después de sanearla) a redirect() y puede ejecutar código no confiable. Este problema se solucionó en serve-static 1.16.0. A flaw was found in serve-static. This issue may allow the execution of untrusted code via pass... • https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43796 – express vulnerable to XSS via response.redirect()
https://notcve.org/view.php?id=CVE-2024-43796
10 Sep 2024 — Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0. Express.js, el framework web minimalista para Node. En Express anterior a la versión 4.20.0, pasar una entrada de usuario no confiable (incluso después de desinfectarla) a response.redirect() puede ejecutar código no confiable. • https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29041 – Express.js Open Redirect in malformed URLs
https://notcve.org/view.php?id=CVE-2024-29041
25 Mar 2024 — Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow li... • https://expressjs.com/en/4x/api.html#res.location • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16136
https://notcve.org/view.php?id=CVE-2017-16136
07 Jun 2018 — method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header. method-override es un módulo empleado por el framework Express.js para permitir el uso de verbos HTTP como PUT o DELETE en lugares no soportados por el cliente. method-override... • https://github.com/ossf-cve-benchmark/CVE-2017-16136 • CWE-400: Uncontrolled Resource Consumption •