Prototype Pollution Protection Bypass in qs

GHSA-gqgv-6jq5-jjj9 · CVE-2017-1000048

Published Apr 30, 2020 · Modified Nov 8, 2023

Description

Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.

Recommendation

Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-1000048
WEB https://github.com/ljharb/qs/issues/200
WEB https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d
WEB https://access.redhat.com/errata/RHSA-2017:2672
PACKAGE https://github.com/ljharb/qs
WEB https://snyk.io/vuln/npm:qs:20170213
WEB https://www.npmjs.com/advisories/1469

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes