diff --git a/CHANGES.md b/CHANGES.md
index dce35c4..155395f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,5 +1,7 @@
 ### Next version
 
+* Replace express-brute with rate-limiter-flexible (fixes GHSA-984p-xq9m-4rjw).
+
 ### 4.0.1
 
 * Fixed proxied upstream POST request being aborted when the stream associated with the downstream request is closed on Node v16+. This will now again correctly be triggered only when the socket is closed early.
diff --git a/lib/makeserver.js b/lib/makeserver.js
index e9c4d1a..4d449ca 100644
--- a/lib/makeserver.js
+++ b/lib/makeserver.js
@@ -8,7 +8,7 @@ var cors = require('cors');
 var exists = require('./exists');
 var basicAuth = require('basic-auth');
 var fs = require('fs');
-var ExpressBrute = require('express-brute');
+const ExpressBruteFlexible = require('rate-limiter-flexible/lib/ExpressBruteFlexible');
 
 /* Creates and returns a single express server. */
 module.exports = function(options) {
@@ -75,7 +75,6 @@ module.exports = function(options) {
 
     var auth = options.settings.basicAuthentication;
     if (auth && auth.username && auth.password) {
-        var store = new ExpressBrute.MemoryStore();
         var rateLimitOptions = {
             freeRetries: 2,
             minWait: 200,
@@ -86,7 +85,10 @@ module.exports = function(options) {
             rateLimitOptions.minWait = options.settings.rateLimit.minWait;
             rateLimitOptions.maxWait = options.settings.rateLimit.maxWait;
         }
-        var bruteforce = new ExpressBrute(store, rateLimitOptions);
+        const bruteforce = new ExpressBruteFlexible(
+            ExpressBruteFlexible.LIMITER_TYPES.MEMORY,
+            rateLimitOptions
+        );
         app.use(bruteforce.prevent, function(req, res, next) {
             var user = basicAuth(req);
             if (user && user.name === auth.username && user.pass === auth.password) {
diff --git a/package.json b/package.json
index f347f5c..4ce1ca6 100644
--- a/package.json
+++ b/package.json
@@ -6,9 +6,6 @@
   "engines": {
     "node": ">=12.0.0"
   },
-  "resolutions": {
-    "underscore": "^1.12.1"
-  },
   "main": "lib/app.js",
   "scripts": {
     "test": "jasmine",
@@ -39,12 +36,12 @@
     "compression": "^1.6.0",
     "cors": "^2.7.1",
     "express": "^4.8.0",
-    "express-brute": "^1.0.1",
     "json5": "^2.2.3",
     "morgan": "^1.7.0",
     "proj4": "^2.3.12",
     "proj4js-defs": "0.0.1",
     "range_check": "^1.4.0",
+    "rate-limiter-flexible": "^5.0.3",
     "request": "^2.88.2",
     "request-promise": "^4.0.1",
     "yargs": "^13.2.4"
diff --git a/yarn.lock b/yarn.lock
index a6d44a8..1208072 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -392,14 +392,6 @@ events@1.1.1:
   resolved "https://registry.yarnpkg.com/events/-/events-1.1.1.tgz#9ebdb7635ad099c70dcc4c2a1f5004288e8bd924"
   integrity sha512-kEcvvCBByWXGnZy6JUlgAp2gBIUjfCAV6P6TgT1/aaQKcmuAEC4OZTV1I4EWQLz2gxZw76atuVyvHhTxvi0Flw==
 
-express-brute@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/express-brute/-/express-brute-1.0.1.tgz#9f36d107fe34e40a682593e39bffcc53102b5335"
-  integrity sha512-ieZmwox3oIZdQCVjvvnwQvrKQumWdb/JjmC9mWplF42AuHCBXr6Yk/I+nLTRQx+9F+2aapOW9kYLwA6xIlwA9g==
-  dependencies:
-    long-timeout "~0.1.1"
-    underscore "~1.8.3"
-
 express@^4.8.0:
   version "4.19.2"
   resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465"
@@ -801,11 +793,6 @@ lodash@^4.17.19:
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
   integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
 
-long-timeout@~0.1.1:
-  version "0.1.1"
-  resolved "https://registry.yarnpkg.com/long-timeout/-/long-timeout-0.1.1.tgz#9721d788b47e0bcb5a24c2e2bee1a0da55dab514"
-  integrity sha512-BFRuQUqc7x2NWxfJBCyUrN8iYUYznzL9JROmRz1gZ6KlOIgmoD+njPVbb+VNn2nGMKggMsK79iUNErillsrx7w==
-
 media-typer@0.3.0:
   version "0.3.0"
   resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748"
@@ -1051,6 +1038,11 @@ range_check@^1.4.0:
     ip6 "0.0.4"
     ipaddr.js "1.2"
 
+rate-limiter-flexible@^5.0.3:
+  version "5.0.3"
+  resolved "https://registry.yarnpkg.com/rate-limiter-flexible/-/rate-limiter-flexible-5.0.3.tgz#bfbfd7585e09073ebe22d177126116862b1024ae"
+  integrity sha512-lWx2y8NBVlTOLPyqs+6y7dxfEpT6YFqKy3MzWbCy95sTTOhOuxufP2QvRyOHpfXpB9OUJPbVLybw3z3AVAS5fA==
+
 raw-body@2.5.2:
   version "2.5.2"
   resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.2.tgz#99febd83b90e08975087e8f1f9419a149366b68a"
@@ -1318,11 +1310,6 @@ type-is@~1.6.18:
     media-typer "0.3.0"
     mime-types "~2.1.24"
 
-underscore@^1.12.1, underscore@~1.8.3:
-  version "1.13.6"
-  resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.13.6.tgz#04786a1f589dc6c09f761fc5f45b89e935136441"
-  integrity sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A==
-
 unpipe@1.0.0, unpipe@~1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/unpipe/-/unpipe-1.0.0.tgz#b2bf4ee8514aae6165b4817829d21b2ef49904ec"