On December 10, 2021 CVE-2021-44228 was reported, describing an exploit in the Log4j library that allowed a malicious user to run code on an affected system. On December 14, 2021 CVE-2021-45046 was reported, describing a second exploit in Log4j.
Express Server doesn't use a version of Log4j that is affected by CVE-2021-44228 or CVE-2021-45046.
Note: An earlier version of this article stated that Express Server did not use Log4j. A draft version was published before it was complete and verified; we regret the error.