From d2a6a26ac698540eac55cb971968061666733464 Mon Sep 17 00:00:00 2001 From: Ayoub Mabrouk Date: Sat, 22 Nov 2025 18:02:19 +0100 Subject: [PATCH] fix: handle NaN status codes by defaulting to 500 Previously, when createError(NaN) was called, the status validation would fail to catch NaN because typeof NaN === 'number' is true in JavaScript. This resulted in errors with NaN status codes, which could cause issues in downstream code. This fix adds an explicit isNaN() check to the status validation logic, ensuring that NaN status codes are properly caught and defaulted to 500. Additionally, a test case has been added to verify this behavior and prevent regression. Fixes: NaN status codes not being validated correctly --- index.js | 2 +- test/test.js | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index 82271f6..951a698 100644 --- a/index.js +++ b/index.js @@ -73,7 +73,7 @@ function createError () { deprecate('non-error status code; use only 4xx or 5xx status codes') } - if (typeof status !== 'number' || + if (typeof status !== 'number' || isNaN(status) || (!statuses.message[status] && (status < 400 || status >= 600))) { status = 500 } diff --git a/test/test.js b/test/test.js index 7db9f16..dd337f5 100644 --- a/test/test.js +++ b/test/test.js @@ -331,6 +331,15 @@ describe('HTTP Errors', function () { assert.strictEqual(err.expose, false) }) + it('createError(NaN) should default to 500', function () { + var err = createError(NaN) + assert.strictEqual(err.name, 'InternalServerError') + assert.strictEqual(err.message, 'Internal Server Error') + assert.strictEqual(err.status, 500) + assert.strictEqual(err.statusCode, 500) + assert.strictEqual(err.expose, false) + }) + it('createError(err, props)', function () { var _err = new Error('LOL') _err.status = 404