Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Published

2022-11-26T22:15:10.153

Last Modified

2025-04-29T14:15:20.410

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-1321
Type: Secondary
CWE-1321

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	qs_project	qs	< 6.2.4	Yes
Application	qs_project	qs	< 6.3.3	Yes
Application	qs_project	qs	< 6.5.3	Yes
Application	qs_project	qs	< 6.7.3	Yes
Application	qs_project	qs	< 6.8.3	Yes
Application	qs_project	qs	< 6.9.7	Yes
Application	qs_project	qs	< 6.10.3	Yes
Application	qs_project	qs	6.4.0	Yes
Application	qs_project	qs	6.6.0	Yes
Application	openjsf	express	< 4.17.3	Yes
Operating System	debian	debian_linux	10.0	Yes

References

https://github.com/expressjs/express/releases/tag/4.17.3 Release Notes ([email protected])
https://github.com/ljharb/qs/pull/428 Issue Tracking, Patch ([email protected])
https://github.com/n8tz/CVE-2022-24999 Exploit, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20230908-0005/ ([email protected])
https://github.com/expressjs/express/releases/tag/4.17.3 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/ljharb/qs/pull/428 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/n8tz/CVE-2022-24999 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230908-0005/ (af854a3a-2127-422b-91ae-364da2661108)