HIGH 7.5 npm
qs vulnerable to Prototype Pollution
GHSA-hrpp-h998-j3pp · CVE-2022-24999
Published · Modified
Description
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-24999
- WEB https://github.com/ljharb/qs/pull/428
- WEB https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec
- WEB https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68
- WEB https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b
- WEB https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d
- WEB https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1
- WEB https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105
- WEB https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f
- WEB https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee
- WEB https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda
- WEB https://github.com/expressjs/express/releases/tag/4.17.3
- PACKAGE https://github.com/ljharb/qs
- WEB https://github.com/n8tz/CVE-2022-24999
- WEB https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html
- WEB https://security.netapp.com/advisory/ntap-20230908-0005
Ready to move
Start Securing
Free, no credit card | First findings in minutes