Send 0.19.0 version showing vulnerability

pillarjs / send

Streaming static file server with Range and conditional-GET support

MIT License

799 stars 191 forks source link

Send 0.19.0 version showing vulnerability #237

Open harkotha2 opened 2 months ago

harkotha2 commented 2 months ago

We are currently using send latest version 0.19.0, which is reported to have vulnerabilities. We need to know when a fix for these vulnerabilities is expected. Is there an estimated time of arrival (ETA) for a resolution?

Vulnerability: send vulnerable to template injection that can lead to XSS url: https://github.com/advisories/GHSA-m6fv-jmcg-4jfg

NewEraCracker commented 1 month ago

See: https://github.com/pillarjs/send/issues/239#issuecomment-2399134135

I think this was solved with express 4.21.0