Skip to main content

Express.js 5.2.1

Release Date: December 1, 2025

What Changed

Express.js 5.2.1 was released on December 1, 2025 as a follow-up patch to the 5.2.0 security release. The previous version included a fix for CVE-2024-51999 that introduced an unintended breaking change to the extended query parser. After further review, the CVE was rejected — no actual vulnerability existed — and the change has been fully reverted in 5.2.1.

  • Reverted query parser change — The extended query parser behavior returns to its pre-5.2.0 state; applications that experienced breakages after upgrading to 5.2.0 can now upgrade safely
  • No actual security vulnerability — CVE-2024-51999 has been officially rejected; the revert eliminates the erroneous breaking change

Why It Matters

For teams running Express 5 in production, 5.2.1 is the version to target. It provides the dependency updates and improvements from 5.2.0 (including body-parser 2.x) without the query parser regression. If you held off on upgrading to Express 5 because of the 5.2.0 issues, this is your green light.

Pending Improvements

The master branch shows several unreleased improvements expected in a future version:

  • HTTP header conflict fixres.send() no longer sets conflicting Content-Length and Transfer-Encoding headers
  • Better HTML redirect responsesres.redirect() now generates proper HTML with DOCTYPE, title, and body tags
  • Null options handlingapp.render('view', null, callback) now works as expected
  • content-type 2.0 upgrade — Faster parsing and better parameter preservation in responses
  • content-disposition 2.0 upgrade — File names that are valid HTTP tokens are no longer wrapped in quotes
  • Improved error logging — The default error handler now logs the full error object including Error.cause and nested properties

What's Next

Express.js continues to see active maintenance under its Technical Committee. With Express 5 now solidly in the stable channel, the team is focused on dependency upgrades, performance improvements, and remaining edge-case fixes. The upcoming release will include the changes listed above.

Express.js 5.2.1 is available on npm. Install or update with npm install [email protected].

What is New?

By continuing to use the site, you agree to the use of cookies.