Visit Express NES Home Page
3.21.x Release Notes
Comprehensive release notes and changelog for 3.21.x, including security patches, bug fixes, and feature updates across all supported versions.
15 Patched Vulnerabilities
VEX Statements
3.21.5 (NES) - October 17, 2024
This release improves the handling of header data and attributes in the response component as well as dependency updates to resolve vulnerabilities.
- Response: Improve handling and sanitizing of content used in default HTML from
response.redirect()- This fixes a Medium Severity XSS vulnerability (CVE-2024-43796)
- Response: Improve handling of cookie attributes used in
response.clearCookie() - Response: Improve handling of Link header attributes used in
response.links()- This fixes a Medium Severity Resource Injection vulnerability (CVE-2024-10491)
- Dependencies:
- cookie@0.7.2 to remediate CVE-2024-47764
- mkdirp@0.5.6 to remediate CVE-2021-44906 and CVE-2020-7598 via minimist@1.2.6 dependency
- fresh@0.5.2 to remediate CVE-2017-16119
- debug@2.6.9 to remediate CVE-2017-16137
- send@0.19.1 to remediate CVE-2017-16138 via mime@1.6.0 dependency
- ejs@2.5.9 to remediate CVE-2017-1000188, CVE-2018-1000189, and CVE-2018-1000228
- marked@0.3.19 to remediate CVE-2017-1000427, CVE-2016-10531, and CVE-2017-16114
- Full Version:
3.21.2-express-3.21.5
Breaking Changes
- None
3.21.4 (NES) - August 23, 2024
This release further improves the handling of URLs when used for setting the "Location" header in the response component.
- Response: Improve handling of path strings and relative URLs used when setting the "Location" header for redirects
- This fixes a Medium Severity XSS vulnerability (CVE-2024-9266)
- Full Version:
3.21.2-express-3.21.4
Breaking Changes:
- None
3.21.3 (NES) - August 23, 2024
- This is the initial base release of Express 3.21.x NES. This release contains no functional changes from Express 3.21.2.
- Full Version:
3.21.2-express-3.21.3
Breaking Changes:
- None