No Charset in Content-Type Header

Module: express

Published: September 12th, 2014

Reported by: Paweł Hałdrzyński

CVE-2014-6393

Vulnerable: <3.11 || >= 4 <4.5
Patched: >=3.11 <4 || >=4.5

Overview

Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

Remediation

Update express to a patched version.

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo