Node Congress 2025: What is a Vulnerability and What’s Not? Making Sense of Node.js and Express Threat Models
Escrito por: Ulises Gascón
Apr 18, 2025 — 1 min read
Security isn’t just about fixing bugs; it’s about understanding the assumptions we make (and avoiding unnecessary panic). In this talk, we’ll dive into the Node.js and Express threat models, which I co-authored, to break down what they trust, what they don’t, and why that actually matters for developers and security researchers.
We’ll take a look at real-world vulnerabilities that fit within these models, clear up some of the most common security misconceptions (because not everything is a critical meltdown), and explore how these security assumptions influence bug bounties, exploitability, and long-term fixes. By the end, attendees will walk away with a much better sense of what’s a real security risk, what isn’t, and how to build applications that won’t keep them up at night.
This talk has been presented at Node Congress 2025, check out the latest edition of this JavaScript Conference.