{"ecosystem":"npm","package":"express","version":null,"bugs":[{"id":20,"ecosystem":"npm","package_name":"express","affected_version":"5.0.0","fixed_version":"5.0.1","bug_id":"github:#6014","title":"app.use() with string path and trailing slash does not match subpaths","description":"After the path-to-regexp 8 upgrade, `app.use('/api/', ...)` no longer matched `/api/anything`. Fixed in 5.0.1 by normalizing trailing slashes.","severity":"high","status":"closed","source":"github_issues","source_url":"https://github.com/expressjs/express/issues/6014","labels":["bug","routing","breaking-change"],"created_at":"2026-04-19 03:24:37.025331+00:00","updated_at":"2026-04-19 03:25:24.807661+00:00"},{"id":1,"ecosystem":"npm","package_name":"express","affected_version":"<4.17.3","fixed_version":"4.17.3","bug_id":"github:#4926","title":"Open redirect via malformed URL","description":"Old express versions do not sanitise certain redirect targets; upgrade to 4.17.3 or later. Also see CVE-2024-29041.","severity":"high","status":"closed","source":"github_issues","source_url":"https://github.com/expressjs/express/issues/4926","labels":["security","redirect"],"created_at":"2026-04-19 02:03:59.598296+00:00","updated_at":"2026-04-19 02:03:59.598296+00:00"}],"total":2,"_cache":"hit"}