No Charset in Content-Type Header

Module: express

Published: September 12th, 2014

Reported by: Paweł Hałdrzyński



Vulnerable: <3.11 || >= 4 <4.5
Patched: >=3.11 <4 || >=4.5


Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.


For express 3.x, update express to version 3.11 or later. For express 4.x, update express to version 4.5 or later.