CVE-2022-24999Prototype Pollution in Express

CWE-1321Prototype Pollution9 documents8 sources
Severity
7.5HIGHNVD
EPSS
1.5%
top 18.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openjsf ExpressQS Project QSDebian Linux
Timeline
PublishedNov 26
Latest updateAug 14

Description

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (an

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDopenjsf/express< 4.17.3
NVDqs_project/qs6.3.06.3.3+8
npmqs_project/qs6.10.06.10.3+8

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
qs vulnerable to Prototype Pollution2022-11-27
GHSA
qs vulnerable to Prototype Pollution2022-11-27
OSV
CVE-2022-24999: qs before 62022-11-26
CVEList
CVE-2022-24999: qs before 62022-11-26

📋Vendor Advisories

4
Ubuntu
qs vulnerability2025-08-14
Red Hat
express: "qs" prototype poisoning causes the hang of the node process2022-11-26
Microsoft
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical E2022-11-08
Debian
CVE-2022-24999: node-qs - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows at...2022
CVE-2022-24999 — Prototype Pollution in Openjsf Express | cvebase