CVE-2022-24999: qs vulnerable to Prototype Pollution
(updated )
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
References
- github.com/advisories/GHSA-hrpp-h998-j3pp
- github.com/expressjs/express/releases/tag/4.17.3
- github.com/ljharb/qs
- github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec
- github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68
- github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b
- github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d
- github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1
- github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105
- github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f
- github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee
- github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda
- github.com/ljharb/qs/pull/428
- github.com/n8tz/CVE-2022-24999
- lists.debian.org/debian-lts-announce/2023/01/msg00039.html
- nvd.nist.gov/vuln/detail/CVE-2022-24999
- security.netapp.com/advisory/ntap-20230908-0005
Code Behaviors & Features
Detect and mitigate CVE-2022-24999 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →