Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

Recommendation

For express 3.x, update express to version 3.11 or later.
For express 4.x, update express to version 4.5 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2014-6393
• GHSA-gpvr-g6gh-9mc2
• https://www.npmjs.com/advisories/8
• https://bugzilla.redhat.com/show_bug.cgi?id=1203190