Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/connect@2.8.1
purl pkg:npm/connect@2.8.1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (3)
Vulnerability Summary Aliases
VCID-81fd-hg84-jkcm Cross-Site Scripting with connect.methodOverride() The middleware overwrites req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" . Because this is not enough sanitized, you can force a Cross-Site Scripting in the response. GMS-2013-13
VCID-ff4q-8qw9-dfc1 methodOverride Middleware Reflected Cross-Site Scripting Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override". Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser. ###Example: ``` ~ curl "localhost:3000" -d "_method=<script src=http://nodesecurity.io/xss.js></script>" Cannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> / ``` ###Credit: [Sergio Arcos](https://twitter.com/martes_trece) ###History (2013-06-27) Bug reported: https://github.com/senchalabs/connect/issues/831 (2013-06-27) First fix: escape req.method output https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135 (2013-06-27) Second fix: whitelist https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a CVE-2013-7371
GHSA-6w62-83g6-rfhj
VCID-nbgt-whdd-xyf9 methodOverride Middleware Reflected Cross-Site Scripting Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override". Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser. ###Example: ``` ~ curl "localhost:3000" -d "_method=<script src=http://nodesecurity.io/xss.js></script>" Cannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> / ``` ###Credit: [Sergio Arcos](https://twitter.com/martes_trece) ###History (2013-06-27) Bug reported: https://github.com/senchalabs/connect/issues/831 (2013-06-27) First fix: escape req.method output https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135 (2013-06-27) Second fix: whitelist https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a CVE-2013-7370

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:36:09.526112+00:00 GitLab Importer Fixing VCID-81fd-hg84-jkcm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/connect/GMS-2013-13.yml 38.6.0
2026-06-02T03:45:01.881951+00:00 Npm Importer Fixing VCID-ff4q-8qw9-dfc1 https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json 38.6.0
2026-06-02T03:45:01.397288+00:00 Npm Importer Fixing VCID-nbgt-whdd-xyf9 https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json 38.6.0