Ulises Gascón / Security Work
When a vulnerability hits a package with 100M+ weekly downloads, someone needs to assess it, coordinate the fix, and ship a patch. Quickly and responsibly. That's the work. I serve as primary coordinator of the OpenJS Foundation CNA, I have authored threat models and incident response plans for Node.js, Express, Lodash, and Webpack, and I am credited on dozens of security advisories across the npm ecosystem. Most of this is volunteer work. Initiatives like Alpha-Omega and the Sovereign Tech Fund have provided critical support at key moments, but funding is temporary. The work isn't.
I write fixes, review patches, and coordinate disclosure for some of the most depended-on packages in the npm ecosystem.
multer (7) · undici (6) · lodash (3) · path-to-regexp (3) · fastify (2) · body-parser (2) · express (2) · middie (1) · on-headers (1) · basic-auth-connect (1) · send (1) · serve-static (1)
| Role | Count |
|---|---|
| Remediation Reviewer | 16 |
| Remediation Developer | 10 |
| Analyst | 3 |
| Coordinator | 1 |
Full advisory details by package
multer — 7 advisories (Express.js file upload middleware)
| CVE | Severity | My Role |
|---|---|---|
| CVE-2026-3520 | High | Remediation Reviewer |
| CVE-2026-3304 | High | Remediation Reviewer |
| CVE-2026-2359 | High | Remediation Reviewer |
| CVE-2025-7338 | High | Analyst |
| CVE-2025-48997 | High | Remediation Reviewer |
| CVE-2025-47944 | High | Remediation Reviewer |
| CVE-2025-47935 | High | Coordinator |
undici — 6 advisories (Node.js built-in HTTP client)
| CVE | Severity | My Role |
|---|---|---|
| CVE-2026-1526 | High | Remediation Reviewer |
| CVE-2026-2229 | High | Remediation Reviewer |
| CVE-2026-1528 | High | Remediation Developer |
| CVE-2026-1527 | Moderate | Remediation Developer |
| CVE-2026-2581 | Moderate | Remediation Reviewer |
| CVE-2026-1525 | Moderate | Remediation Reviewer |
lodash — 3 advisories (JavaScript utility library)
| CVE | Severity | My Role |
|---|---|---|
| CVE-2026-4800 | High | Remediation Developer |
| CVE-2026-2950 | Moderate | Remediation Reviewer |
| CVE-2025-13465 | Moderate | Remediation Developer |
path-to-regexp — 3 advisories
| CVE | Severity | My Role |
|---|---|---|
| CVE-2026-4926 | High | Remediation Reviewer |
| CVE-2026-4867 | High | Remediation Reviewer |
| CVE-2026-4923 | Moderate | Remediation Reviewer |
fastify — 2 advisories (Web framework for Node.js)
| CVE | Severity | My Role |
|---|---|---|
| CVE-2026-3635 | Moderate | Remediation Reviewer |
| CVE-2026-3419 | Moderate | Remediation Reviewer |
body-parser — 2 advisories (Express.js request body parsing)
| CVE | Severity | My Role |
|---|---|---|
| CVE-2024-45590 | High | Remediation Developer |
| CVE-2025-13466 | Moderate | Remediation Reviewer |
express — 2 advisories (Web framework for Node.js)
| CVE | Severity | My Role |
|---|---|---|
| CVE-2024-29041 | Moderate | Analyst |
| CVE-2024-43796 | Low | Remediation Developer |
Other packages — 5 advisories (middie, on-headers, basic-auth-connect, send, serve-static)
| CVE | Package | Severity | My Role |
|---|---|---|---|
| CVE-2026-2880 | middie | High | Remediation Developer |
| CVE-2024-47178 | basic-auth-connect | High | Remediation Developer |
| CVE-2025-7339 | on-headers | Low | Analyst |
| CVE-2024-43799 | send | Low | Remediation Developer |
| CVE-2024-43800 | serve-static | Low | Remediation Developer |
For the full and up-to-date list, see my credited advisories on GitHub.
Formal roles across the ecosystem:
- Primary Coordinator of the OpenJS Foundation CNA (CVE Numbering Authority) since 2025
- Member of the Webpack Security triage team since 2026
- Member of the Webpack Security WG since 2025
- Participant of the TC39 TG3 (Security WG) since 2024
- Member of the OpenJS Security Working Group since 2024
- Member of the Express.js Technical Committee since 2024
- Member of the Node.js Security WG since 2022
- OWASP (The Open Web Application Security Project) Member since 2022
- Maintainer of the OSSF Scorecard Monitor and the OSSF Scorecard Visualizer since 2023
- Creator of the Express.js Security Working Group and the security triage team
- Member of the Express.js Triage Team since 2020
Recognition: GitHub Secure Open Source Fund participant · Snyk Ambassador (2023-2026) · JavaScriptLandia Awards, Leading by Example (2024)
Threat Models, defining what is and isn't a vulnerability:
- Node.js Official Threat Model
- Node.js Contributor Threat Model
- Node.js Maintainers Threat Model
- Express.js Threat Model
- Lodash Threat Model
- Webpack Threat Model
Incident Response Plans, what happens when a vulnerability is confirmed:
- OpenJS Foundation Incident Response Plan
- Express.js Incident Response Plan
- Lodash Incident Response Plan
Guides & Standards:
- Node.js Security Best Practices
- GitHub's Open Source Guide, Security Best Practices. Extended with information on licenses, vulnerability reporting, threat models, and IRPs.
- Publishing More Securely on npm
Tooling:
- OpenJS Foundation Command Center. Security and compliance dashboard for OpenJS Foundation projects.
- OpenPathfinder. Security and health monitoring platform for open source projects.
- OSSF Scorecard Monitor. Tracks OpenSSF Scorecard results over time.
- OSSF Scorecard Visualizer. Visual dashboard for OpenSSF Scorecard data.
Initiatives:
- Coordinated the Express.js security audit with OSTIF
- Helped adopt Never-Ending Support (NES) with HeroDevs for Express
- Led adoption of the OpenSSF Scorecard for Express.js and Node.js
- Achieved OpenSSF CII Best Practices Silver and Gold for Node.js
- Driving the Express.js bug bounty program on YesWeHack
- Kicked off the Webpack Security WG
- Contributed to the EU Commission consultation on Cybersecurity Act revision via the ORC WG
What Comes After Chaos? · Making Sense of Threat Models · Strengthening the Supply Chain · Node4Hackers · Tu Servidor en NodeJS es vulnerable? · Personal Privacy 101 · TOR para Developers 101 · All talks
JavaScript Security Snapshot (video series with the OpenJS Foundation, Alpha-Omega, and NodeSource): Incident Response Plan · How Express Handles Security · How to Get Involved · What is even a CVE?
- What CVE-2025-13465 Teaches Us About Prototype Pollution in JavaScript (Jan 2026)
- Lodash Rolls Out Major Security Overhaul (Jan 2026)
- Critical React Server Components Vulnerability: How We Responded at Orbitant (Dec 2025)
- Node.js release fixes a critical HTTP security vulnerability (Feb 2020)
- OpenJS Foundation Security Program: Annual Report 2025 (2025)
- Strengthening Yeoman: Our 2025 Security Overhaul (Nov 2025)
- How Express.js Rebuilt Its Vulnerability Reporting Process (Jun 2025)
- Express.js Security Audit: A Milestone Achievement (Oct 2024)
- Decoding CVEs: A practical guide to assessing and mitigating security risks (Oct 2024)
- You should use the OpenSSF Scorecard (Jan 2023)
- Safely store secrets in Git using Blackbox (Feb 2023)
- Docker Seguro (2022)
- Cybersecurity Handbook (2020)
- What is a backdoor? Let's build one with Node.js (Mar 2020)
I have also authored a series of technical deep-dives on web security topics on my blog.
Open source security doesn't happen by inertia. The gap between "widely depended on" and "actively secured" is where I spend my time.
🔙 Back to profile · Become a sponsor · Freelance & consulting