Affected versions of this package are vulnerable to Open Redirect via the redirect function in lib/response.js due to improper input sanitization. An attacker can redirect users to arbitrary external sites by exploiting this vulnerability.
Remediation
A fix was pushed into the master branch but not yet published.