No Charset in Content-Type Header in express

GHSA-gpvr-g6gh-9mc2 · CVE-2014-6393

Published Oct 23, 2018 · Modified Nov 8, 2023

Description

Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

Recommendation

For express 3.x, update express to version 3.11 or later.
For express 4.x, update express to version 4.5 or later.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-6393
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1203190
ADVISORY https://github.com/advisories/GHSA-gpvr-g6gh-9mc2
WEB https://www.npmjs.com/advisories/8

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes