OSTIF is proud to share the results of our security audit of Express. Express is an open source web framework for Node.js that prioritizes performance and flexibility. With the help of the OpenJS Foundation and ADA Logics, this project can continue to thrive as a web application framework for users needing lightweight HTTP server tooling.
Audit Process:
While the majority of the audit effort was spent auditing the core Express.js code base, dependencies and libraries that are utilized in security roles were also in the scope of review. Included in the effort around the core code base was an original high-level threat model created by the audit team. The security-focused threat model described potential threats and threat actors and an expanded discussion on the security hardening of web applications.
Audit Results:
-
5 Issues with Security Impact
-
5 Moderate Severity CVEs
-
-
Custom Threat Model
The Express security triage team and TSC members worked to address the issues reported by this audit and have fixed all of them. Further details on the resolutions can be found on the Express blog. All patches have been released, so please update to the latest version of the project to take advantage of the security work done by ADA Logics and the security triage team to prevent exploitation of the 5 identified vulnerabilities. OSTIF thanks the Express security team for their efforts during and after this audit in hardening the security of their project.
Thank you to the individuals and groups that made this engagement possible:
-
The Express maintainers and community- especially Wes Todd, Ulises Gascón, Jon Church, and Chris de Almeida
-
ADA Logics- David Korczynski, Adam Korczynski, and Sheung Chi (Arthur) Chan
-
OpenJS Foundation- especially Ben Sternthal and Robin Ginn
You can read the Audit Report HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].