chore(deps): update dependency express to v4.20.0 [security]#111
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency express to v4.20.0 [security]#111renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
September 17, 2024 01:38
9cad6bd to
15e3ef3
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
October 9, 2024 11:16
15e3ef3 to
53314f8
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
December 2, 2024 11:47
53314f8 to
8687c51
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
January 23, 2025 17:50
8687c51 to
9c3ad87
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
January 30, 2025 17:14
9c3ad87 to
2395cb6
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
February 9, 2025 13:48
2395cb6 to
f78620f
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
March 3, 2025 11:44
f78620f to
7672fa8
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
March 11, 2025 10:27
7672fa8 to
697978f
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 1, 2025 10:56
697978f to
e7d62d3
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 8, 2025 10:23
e7d62d3 to
5b9dd4d
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 24, 2025 07:06
5b9dd4d to
2f9334f
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
May 28, 2025 09:46
2f9334f to
733da98
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
June 22, 2025 15:28
733da98 to
163463d
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
July 2, 2025 19:15
163463d to
9838a24
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
September 25, 2025 16:02
4335199 to
06dc2fb
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
October 21, 2025 15:43
06dc2fb to
6dde1bb
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
November 11, 2025 00:58
6dde1bb to
0509e60
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
November 18, 2025 10:12
0509e60 to
92c1414
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
December 3, 2025 18:24
92c1414 to
a25f3eb
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
December 31, 2025 12:33
a25f3eb to
3e190ce
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
2 times, most recently
from
February 17, 2026 20:55
dd1f161 to
b827773
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
March 5, 2026 15:06
b827773 to
93d0a1c
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
March 30, 2026 17:32
93d0a1c to
b4afcbe
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
April 8, 2026 14:53
b4afcbe to
6f0a0ff
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
2 times, most recently
from
April 28, 2026 00:51
6f0a0ff to
3707a94
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
2 times, most recently
from
May 18, 2026 12:46
74b3728 to
9124e28
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
2 times, most recently
from
June 1, 2026 19:56
133ca8b to
19676b3
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
June 13, 2026 15:52
19676b3 to
9adc33f
Compare
renovate
Bot
force-pushed
the
renovate/npm-express-vulnerability
branch
from
July 12, 2026 17:48
9adc33f to
f0d5c1f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.18.2→4.20.0Express.js Open Redirect in malformed URLs
CVE-2024-29041 / GHSA-rv95-896h-c2vc
More information
Details
Impact
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using
encodeurlon the contents before passing it to thelocationheader. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.The main method impacted is
res.location()but this is also called from withinres.redirect().Patches
expressjs/express@0867302
expressjs/express@0b74695
An initial fix went out with
express@4.19.0, we then patched a feature regression in4.19.1and added improved handling for the bypass in4.19.2.Workarounds
The fix for this involves pre-parsing the url string with either
require('node:url').parseornew URL. These are steps you can take on your own before passing the user input string tores.locationorres.redirect.Resources
https://github.com/expressjs/express/pull/5539
https://github.com/koajs/koa/issues/1800
https://expressjs.com/en/4x/api.html#res.location
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
express vulnerable to XSS via response.redirect()
CVE-2024-43796 / GHSA-qw6h-vgh9-j6wx
More information
Details
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to
response.redirect()may execute untrusted codePatches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
expressjs/express (express)
v4.20.0Compare Source
==========
depthoption to customize the depth level in the parserdepthlevel for parsing URL-encoded data is now32(previously wasInfinity)res.redirect\,|, and^to align better with URL specoptions.maxAgeandoptions.expirestores.clearCookiev4.19.2Compare Source
==========
v4.19.1Compare Source
==========
v4.19.0Compare Source
==========
v4.18.3Compare Source
==========
partitionedoptionConfiguration
📅 Schedule: (in timezone Asia/Kolkata)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.