Express.js 5.2.1
What Changed
Express.js 5.2.1 was released on December 1, 2025 as a follow-up patch to the 5.2.0 security release. The previous version included a fix for CVE-2024-51999 that introduced an unintended breaking change to the extended query parser. After further review, the CVE was rejected — no actual vulnerability existed — and the change has been fully reverted in 5.2.1.
- Reverted query parser change — The extended query parser behavior returns to its pre-5.2.0 state; applications that experienced breakages after upgrading to 5.2.0 can now upgrade safely
- No actual security vulnerability — CVE-2024-51999 has been officially rejected; the revert eliminates the erroneous breaking change
Why It Matters
For teams running Express 5 in production, 5.2.1 is the version to target. It provides the dependency updates and improvements from 5.2.0 (including body-parser 2.x) without the query parser regression. If you held off on upgrading to Express 5 because of the 5.2.0 issues, this is your green light.
Pending Improvements
The master branch shows several unreleased improvements expected in a future version:
- HTTP header conflict fix —
res.send()no longer sets conflicting Content-Length and Transfer-Encoding headers - Better HTML redirect responses —
res.redirect()now generates proper HTML with DOCTYPE, title, and body tags - Null options handling —
app.render('view', null, callback)now works as expected - content-type 2.0 upgrade — Faster parsing and better parameter preservation in responses
- content-disposition 2.0 upgrade — File names that are valid HTTP tokens are no longer wrapped in quotes
- Improved error logging — The default error handler now logs the full error object including Error.cause and nested properties
What's Next
Express.js continues to see active maintenance under its Technical Committee. With Express 5 now solidly in the stable channel, the team is focused on dependency upgrades, performance improvements, and remaining edge-case fixes. The upcoming release will include the changes listed above.
Express.js 5.2.1 is available on npm. Install or update with npm install [email protected].