All express CVEs — Complete Vulnerability History
Express is the most widely-used Node.js web framework. It has had a relatively small number of direct CVEs given its age and popularity — most express-related vulnerabilities come through its dependencies like qs and path-to-regexp.
npm
30M+ weekly downloads
4 CVEs total
🔴 CISA KEV
CVE history — all 4 known vulnerabilities
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2014-6393 | 2014 | MEDIUM | Cross-site scripting via crafted HTTP header | Fixed in 3.1.0 |
| CVE-2016-1000236 | 2016 | MEDIUM | Timing attack in cookie signature comparison | Fixed in 4.14.2 |
| CVE-2022-24999 | 2022 | 🔴HIGH | Prototype pollution via qs dependency — CISA KEV | Fixed in 4.18.2 |
| CVE-2024-29041 | 2024 | MEDIUM | Open redirect via response.redirect() | Fixed in 4.19.2 |
Current safe version
✓ Update to 4.19.2
The latest safe version addresses all 4 known CVEs listed above.
Before and after
Vulnerable:
"express": "4.17.1"
Fixed:
"express": "4.19.2"
Then run: npm install
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does Express itself have many CVEs?
Express has surprisingly few direct CVEs for a framework of its age and popularity — most express-related vulnerabilities come through transitive dependencies like qs (prototype pollution) and path-to-regexp (ReDoS). Keeping express updated pulls in safe versions of these dependencies.
What does CVE-2024-29041 mean for my app?
It means response.redirect() with user-controlled URLs could send users to external sites. If you pass any user input to res.redirect(), validate the URL first. The fix in 4.19.2 adds stricter URL validation.
Is express 5.x stable?
Express 5.x reached release candidate status in 2024. It includes security improvements and better promise handling. If you're starting a new project, 5.x is worth evaluating. For existing projects, 4.19.2 remains well-maintained.
How do I fix the qs prototype pollution coming through Express?
Updating Express to 4.18.0 or later pulls in a safe version of qs. If you can't upgrade Express, add an npm override: {"overrides": {"qs": "6.11.0"}}.