Sourced from The Node Security Working Group.

No Charset in Content-Type Header
Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

Affected versions: <3.11 || >= 4 <4.5

Sourced from express's releases.

4.17.1

• Revert "Improve error message for null/undefined to res.status"

4.17.0

• Add express.raw to parse bodies into Buffer
• Add express.text to parse bodies into string
• Improve error message for non-strings to res.sendFile
• Improve error message for null/undefined to res.status
• Support multiple hosts in X-Forwarded-Host
• deps: accepts@~1.3.7
• deps: body-parser@1.19.0
  • Add encoding MIK
  • Add petabyte (pb) support
  • Fix parsing array brackets after index
  • deps: bytes@3.1.0
  • deps: http-errors@1.7.2
  • deps: iconv-lite@0.4.24
  • deps: qs@6.7.0
  • deps: raw-body@2.4.0
  • deps: type-is@~1.6.17
• deps: content-disposition@0.5.3
• deps: cookie@0.4.0
  • Add SameSite=None support
• deps: finalhandler@~1.1.2
  • Set stricter Content-Security-Policy header
  • deps: parseurl@~1.3.3
  • deps: statuses@~1.5.0
• deps: parseurl@~1.3.3
• deps: proxy-addr@~2.0.5
  • deps: ipaddr.js@1.9.0
• deps: qs@6.7.0
  • Fix parsing array brackets after index
• deps: range-parser@~1.2.1
• deps: send@0.17.1
  • Set stricter CSP header in redirect & error responses
  • deps: http-errors@~1.7.2
  • deps: mime@1.6.0
  • deps: ms@2.1.1
  • deps: range-parser@~1.2.1
  • deps: statuses@~1.5.0
  • perf: remove redundant path.normalize call
• deps: serve-static@1.14.1
  • Set stricter CSP header in redirect response
  • deps: parseurl@~1.3.3
  • deps: send@0.17.1
• deps: setprototypeof@1.1.1
• deps: statuses@~1.5.0
  • Add 103 Early Hints
• deps: type-is@~1.6.18
  • deps: mime-types@~2.1.24

... (truncated)

Sourced from express's changelog.

4.17.1 / 2019-05-25

• Revert "Improve error message for null/undefined to res.status"

4.17.0 / 2019-05-16

• Add express.raw to parse bodies into Buffer
• Add express.text to parse bodies into string
• Improve error message for non-strings to res.sendFile
• Improve error message for null/undefined to res.status
• Support multiple hosts in X-Forwarded-Host
• deps: accepts@~1.3.7
• deps: body-parser@1.19.0
  • Add encoding MIK
  • Add petabyte (pb) support
  • Fix parsing array brackets after index
  • deps: bytes@3.1.0
  • deps: http-errors@1.7.2
  • deps: iconv-lite@0.4.24
  • deps: qs@6.7.0
  • deps: raw-body@2.4.0
  • deps: type-is@~1.6.17
• deps: content-disposition@0.5.3
• deps: cookie@0.4.0
  • Add SameSite=None support
• deps: finalhandler@~1.1.2
  • Set stricter Content-Security-Policy header
  • deps: parseurl@~1.3.3
  • deps: statuses@~1.5.0
• deps: parseurl@~1.3.3
• deps: proxy-addr@~2.0.5
  • deps: ipaddr.js@1.9.0
• deps: qs@6.7.0
  • Fix parsing array brackets after index
• deps: range-parser@~1.2.1
• deps: send@0.17.1
  • Set stricter CSP header in redirect & error responses
  • deps: http-errors@~1.7.2
  • deps: mime@1.6.0
  • deps: ms@2.1.1
  • deps: range-parser@~1.2.1
  • deps: statuses@~1.5.0
  • perf: remove redundant path.normalize call
• deps: serve-static@1.14.1
  • Set stricter CSP header in redirect response
  • deps: parseurl@~1.3.3
  • deps: send@0.17.1
• deps: setprototypeof@1.1.1

... (truncated)

• e1b45eb 4.17.1
• 0a48e18 Revert "Improve error message for null/undefined to res.status"
• eed05a1 build: Node.js@12.3
• 10c7756 4.17.0
• 9dadca2 docs: remove Gratipay links
• b8e5056 tests: ignore unreachable line
• 94e48a1 build: update example dependencies
• efcb17d deps: cookie@0.4.0
• b9ecb9a build: support Node.js 12.x
• 5266f3a build: test against Node.js 13.x nightly
• Additional commits viewable in compare view

This version was pushed to npm by dougwilson, a new releaser for express since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)