GHSA-hrpp-h998-j3pp
- Source
- https://github.com/advisories/GHSA-hrpp-h998-j3pp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json
- Aliases
- Published
- 2022-11-27T00:30:50Z
- Modified
- 2024-02-13T20:35:49Z
- Summary
- qs vulnerable to Prototype Pollution
- Details
-
qs before 6.10.3 allows attackers to cause a Node process hang because an
__ proto__key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such asa[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-24999
- https://github.com/ljharb/qs/pull/428
- https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec
- https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68
- https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b
- https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d
- https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1
- https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105
- https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f
- https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee
- https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda
- https://github.com/expressjs/express/releases/tag/4.17.3
- https://github.com/ljharb/qs
- https://github.com/n8tz/CVE-2022-24999
- https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html