## Critical CVSS 9.8 Flaws in Helmet 2.3.0 Expose Express Apps to Severe Risk — No Patches Available Security scanning has uncovered seven critical vulnerabilities embedded within helmet version 2.3.0, a widely deployed middleware package designed to help secure Express and Connect applications through HTTP header configuration. The highest severity rating among the findings reaches 9.8 on the CVSS scale, placing the vulnerabilities in the critical severity band. The flaws originate in transitive dependencies rather than the helmet package itself, specifically within debug-2.2.0.tgz and ms-0.7.1.tgz, which are pulled in as sub-dependencies. This architectural detail complicates remediation efforts, as direct fixes to helmet will not address the underlying issues in the affected transitive packages. The findings, documented through CVE identifiers CVE-238984-357813, CVE-450047-622954, CVE-768328-330953, and CVE-984631-293917, all carry a critical severity rating of 9.8. Both debug and ms packages are popular utility libraries with broad adoption across the Node.js ecosystem, meaning the attack surface extends well beyond applications that directly reference helmet. Transitive dependency vulnerabilities present a persistent challenge in software supply chain security, as developers often have limited visibility into the full dependency tree of their projects. The exploit maturity for these vulnerabilities is currently listed as N/A, and EPSS (Exploit Prediction Scoring System) scores are also unavailable, leaving uncertainty about active exploitation in the wild. Currently, no fixed versions or remediation paths exist for these vulnerabilities. Organizations relying on helmet 2.3.0 or any package that depends on the affected versions of debug and ms should evaluate their exposure, monitor for security advisories, and consider whether temporary compensating controls—such as network segmentation, WAF rules, or dependency pinning to unimpacted versions—are feasible. The incident highlights ongoing risks in the npm dependency ecosystem, where a single vulnerable transitive library can cascade across thousands of downstream projects without their maintainers' knowledge. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: npm, vulnerability, supply-chain, express, nodejs - **Credibility**: unverified - **Published**: 2026-05-11 04:10:33 - **ID**: 81724 - **URL**: https://whisperx.ai/en/intel/81724