Question 1

Is there a bug in express 5.0.0?

Accepted Answer

app.use() with string path and trailing slash does not match subpaths After the path-to-regexp 8 upgrade, `app.use('/api/', ...)` no longer matched `/api/anything`. Fixed in 5.0.1 by normalizing trailing slashes. Fixed in express 5.0.1.

Question 2

Is there a bug in express <4.17.3?

Accepted Answer

Open redirect via malformed URL Old express versions do not sanitise certain redirect targets; upgrade to 4.17.3 or later. Also see CVE-2024-29041. Fixed in express 4.17.3.

Severity	Affected	Fixed in	Title	Status	Source
high	5.0.0	5.0.1	app.use() with string path and trailing slash does not match subpaths After the path-to-regexp 8 upgrade, `app.use('/api/', ...)` no longer matched `/api/anything`. Fixed in 5.0.1 by normalizing trailing slashes.	closed	github:#6014
high	<4.17.3	4.17.3	Open redirect via malformed URL Old express versions do not sanitise certain redirect targets; upgrade to 4.17.3 or later. Also see CVE-2024-29041.	closed	github:#4926

express known bugs