CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Published: Nov 26, 2022
Updated: Sep 9, 2023
CVE: CVE-2022-24999
GHSA: GHSA-hrpp-h998-j3pp
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-1321

Affected Software
References

Software	From	Fixed in
qs_project / qs	6.3.0	6.3.3
qs_project / qs	6.4.0	6.4.0.x
qs_project / qs	6.5.0	6.5.3
qs_project / qs	6.6.0	6.6.0.x
qs_project / qs	6.7.0	6.7.3
qs_project / qs	6.8.0	6.8.3
qs_project / qs	6.9.0	6.9.7
qs_project / qs	6.10.0	6.10.3
qs_project / qs	-	6.2.4
openjsf / express	-	4.17.3
debian / debian_linux	10.0	10.0.x
@types / qs	6.10.0	6.10.3
@types / qs	6.9.0	6.9.7
@types / qs	6.8.0	6.8.3
@types / qs	6.7.0	6.7.3
@types / qs	6.6.0	6.6.1
@types / qs	6.5.0	6.5.3
@types / qs	6.4.0	6.4.1
@types / qs	6.3.0	6.3.3
@types / qs	-	6.2.4

Vulnerability Database

289,599

CVE-2022-24999