Skip to content

fix(express): Update express to 4.22.1 to address CVE-2025-15284#16157

Merged
kamilmysliwiec merged 1 commit intonestjs:10.4.20from
Xilis:fix/express-version-flexibility
Jan 8, 2026
Merged

fix(express): Update express to 4.22.1 to address CVE-2025-15284#16157
kamilmysliwiec merged 1 commit intonestjs:10.4.20from
Xilis:fix/express-version-flexibility

Conversation

@Xilis
Copy link

@Xilis Xilis commented Jan 5, 2026

Summary

Bumps Express from 4.21.2 to 4.22.1 to address CVE-2025-15284 (qs arrayLimit bypass allowing DoS via memory exhaustion).

  • Express 4.22.1 uses qs ~6.14.0 which resolves to qs@6.14.1 containing the fix
  • GHSA-6rw7-vpxm-498p

Changes

  • package.json: express 4.21.2 → 4.22.1
  • packages/platform-express/package.json: express 4.21.2 → 4.22.1
  • package-lock.json: updated (qs now at 6.14.1)

@Xilis Xilis force-pushed the fix/express-version-flexibility branch from e4d88c1 to 2f853c0 Compare January 5, 2026 09:42
@Xilis Xilis force-pushed the fix/express-version-flexibility branch from 2f853c0 to eb0f29d Compare January 5, 2026 09:45
@kamilmysliwiec kamilmysliwiec merged commit 5ab165a into nestjs:10.4.20 Jan 8, 2026
1 of 2 checks passed
@mmollick
Copy link

mmollick commented Jan 8, 2026

body-parser also relies on qs@6.13.0 so this PR doesn't fully address the CVE

@Xilis Xilis mentioned this pull request Jan 9, 2026
Merged
@Xilis
Copy link
Author

Xilis commented Jan 9, 2026

Thanks @mmollick for catching this! Opened #16178 to address it.

@Xilis Xilis deleted the fix/express-version-flexibility branch January 12, 2026 10:31
@krzysdz krzysdz mentioned this pull request Jan 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Xilis @mmollick @kamilmysliwiec