The following flaw was found in Express:
Vulnerable versions of express do not specify a charset field in the content-type heade while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.
This flaw is fixed in version 3.11 and 4.5 of Express.
Created nodejs-express tracking bugs for this issue:
Affects: fedora-all [bug 1203191]
Affects: epel-6 [bug 1203192]