Dokumen ini mungkin sudah ketinggalan zaman jika dibandingkan dengan dokumentasi dalam bahasa Inggris. Untuk informasi terkini, lihat dokumentasi dalam bahasa Inggris.
Node.js vulnerabilities directly affect Express. Therefore, keep a watch on Node.js vulnerabilities and make sure you are using the latest stable version of Node.js.
The list below enumerates the Express vulnerabilities that were fixed in the specified version update.
NOTE: If you believe you have discovered a security vulnerability in Express, please see Security Policies and Procedures.
forwarded
has been updated to address a vulnerability. This may affect your application if the following APIs are used: req.host
, req.hostname
, req.ip
, req.ips
, req.protocol
.mime
has been updated to address a vulnerability, but this issue does not impact Express.send
has been updated to provide a protection against a Node.js 8.5.0 vulnerability. This only impacts running Express on the specific Node.js version 8.5.0.debug
has been updated to address a vulnerability, but this issue does not impact Express.fresh
has been updated to address a vulnerability. This will affect your application if the following APIs are used: express.static
, req.fresh
, res.json
, res.jsonp
, res.send
, res.sendfile
res.sendFile
, res.sendStatus
.ms
has been updated to address a vulnerability. This may affect your application if untrusted string input is passed to the maxAge
option in the following APIs: express.static
, res.sendfile
, and res.sendFile
.qs
has been updated to address a vulnerability, but this issue does not impact Express. Updating to 4.15.2 is a good practice, but not required to address the vulnerability.express.static
, res.sendfile
, and res.sendFile
express.static
(advisory, CVE-2015-1164).express.static
(advisory , CVE-2014-6394).fd
s in certain situations that affect express.static
and res.sendfile
. Malicious requests could cause fd
s to leak and eventually lead to EMFILE
errors and server unresponsiveness.Express 3.x IS END-OF-LIFE AND NO LONGER MAINTAINED
Known and unknown security and performance issues in 3.x have not been addressed since the last update (1 August, 2015). It is highly recommended to use the latest version of Express.
If you are unable to upgrade past 3.x, please consider Commercial Support Options.
express.static
, res.sendfile
, and res.sendFile
express.static
(advisory, CVE-2015-1164).express.static
.fd
s in certain situations that affect express.static
and res.sendfile
. Malicious requests could cause fd
s to leak and eventually lead to EMFILE
errors and server unresponsiveness.