CVE-2022-24999
published 2022-11-26CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __…
PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
14.66%
96.2th percentile
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | node-qs | < node-qs 6.10.3+ds+~6.9.7-1 (bookworm) | node-qs 6.10.3+ds+~6.9.7-1 (bookworm) |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| openjsf | express | < 4.17.3 | 4.17.3 |
| qs_project | qs | < 6.2.4 | 6.2.4 |
| qs_project | qs | — | — |
| qs_project | qs | — | — |
| qs_project | qs | >= 0 < 6.2.4 | 6.2.4 |
| qs_project | qs | >= 6.10.0 < 6.10.3 | 6.10.3 |
| qs_project | qs | >= 6.10.0 < 6.10.3 | 6.10.3 |
| qs_project | qs | >= 6.3.0 < 6.3.3 | 6.3.3 |
| qs_project | qs | >= 6.3.0 < 6.3.3 | 6.3.3 |
| qs_project | qs | >= 6.4.0 < 6.4.1 | 6.4.1 |
| qs_project | qs | >= 6.5.0 < 6.5.3 | 6.5.3 |
| qs_project | qs | >= 6.5.0 < 6.5.3 | 6.5.3 |
| qs_project | qs | >= 6.6.0 < 6.6.1 | 6.6.1 |
| qs_project | qs | >= 6.7.0 < 6.7.3 | 6.7.3 |
| qs_project | qs | >= 6.7.0 < 6.7.3 | 6.7.3 |
| qs_project | qs | >= 6.8.0 < 6.8.3 | 6.8.3 |
| qs_project | qs | >= 6.8.0 < 6.8.3 | 6.8.3 |
| qs_project | qs | >= 6.9.0 < 6.9.7 | 6.9.7 |
| qs_project | qs | >= 6.9.0 < 6.9.7 | 6.9.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
qs vulnerable to Prototype Pollution
osv·2022-11-27
CVE-2022-24999 [HIGH] qs vulnerable to Prototype Pollution
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an `__ proto__` key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as `a[__proto__]=b&a[__proto__]&a[length]=100000000`. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
GHSA
qs vulnerable to Prototype Pollution
ghsa·2022-11-27
CVE-2022-24999 [HIGH] CWE-1321 qs vulnerable to Prototype Pollution
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an `__ proto__` key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as `a[__proto__]=b&a[__proto__]&a[length]=100000000`. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
OSV
CVE-2022-24999: qs before 6
osv·2022-11-26·CVSS 7.5
CVE-2022-24999 [HIGH] CVE-2022-24999: qs before 6
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Ubuntu
qs vulnerability
vendor_ubuntu·2025-08-14
CVE-2022-24999 qs vulnerability
Title: qs vulnerability
Summary: qs could be made to crash if it received specially crafted network
traffic.
Nathanael Braun and Johan Brissaud discovered that qs was vulnerable
to prototype pollution. A remote attacker could possibly use this issue
to cause a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
CISA ICS
ABB RMC-100
cisa_ics·2025-03-25·CVSS 7.5
[HIGH] ABB RMC-100
ICS Advisory
##
ABB RMC-100
Release DateMarch 25, 2025
Alert CodeICSA-25-084-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ABB
- Equipment: RMC-100
- Vulnerability: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the web UI, causing a temporary denial of service until the interface can be restarted.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
ABB reports that the following products are affected when the REST interface is
Red Hat
express: "qs" prototype poisoning causes the hang of the node process
vendor_redhat·2022-11-26·CVSS 7.5
CVE-2022-24999 [HIGH] CWE-1321 express: "qs" prototype poisoning causes the hang of the node process
express: "qs" prototype poisoning causes the hang of the node process
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of se
Microsoft
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical E
vendor_msrc·2022-11-08·CVSS 7.5
CVE-2022-24999 [HIGH] CWE-1321 qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical E
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who cho
Debian
CVE-2022-24999: node-qs - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows at...
vendor_debian·2022·CVSS 7.5
CVE-2022-24999 [HIGH] CVE-2022-24999: node-qs - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows at...
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Scope: local
bookworm: resolved (fixed in 6.10.3+ds+~6.9.7-1)
bullseye: resolved (fixed in 6.9.4+ds-1+deb11u1)
forky: resolved (fixed in 6.10.3+ds+~6.9.7-1)
sid: resolved (fixed in 6.10.3+ds+~6.9.7
No detection rules found.
No public exploits indexed.
https://github.com/expressjs/express/releases/tag/4.17.3https://github.com/ljharb/qs/pull/428https://github.com/n8tz/CVE-2022-24999https://lists.debian.org/debian-lts-announce/2023/01/msg00039.htmlhttps://security.netapp.com/advisory/ntap-20230908-0005/https://github.com/expressjs/express/releases/tag/4.17.3https://github.com/ljharb/qs/pull/428https://github.com/n8tz/CVE-2022-24999https://lists.debian.org/debian-lts-announce/2023/01/msg00039.htmlhttps://security.netapp.com/advisory/ntap-20230908-0005/
2022-11-26
Published