GoogleOSV:GHSA-HRPP-H998-J3PPqs vulnerable to Prototype Pollution
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8 High
AI Score
Confidence
High
0.014 Low
EPSS
Percentile
86.6%
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
References
github.com/expressjs/express/releases/tag/4.17.3
github.com/ljharb/qs
github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec
github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68
github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b
github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d
github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1
github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105
github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f
github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee
github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda
github.com/ljharb/qs/pull/428
github.com/n8tz/CVE-2022-24999
lists.debian.org/debian-lts-announce/2023/01/msg00039.html
nvd.nist.gov/vuln/detail/CVE-2022-24999
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8 High
AI Score
Confidence
High
0.014 Low
EPSS
Percentile
86.6%