We wrote about it here https://www.bearer.com/blog/loom-express-session-incident and we also updated the famous NodeGoat project to bring more awareness around that kind of mis configuration https://github.com/OWASP/NodeGoat/pull/286