OESA-2024-1338

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1338

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2024-1338.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2024-1338

Upstream

CVE-2022-24999

Published

2024-03-29T11:07:19Z

Modified

2025-09-03T06:18:08.460317Z

Summary

nodejs-qs security update

Details

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior (and twice as fast). Used by express, connect and others.

Security Fix(es):

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an _ proto_ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).(CVE-2022-24999)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:22.03-LTS-SP3 / nodejs-qs

Package

Name: nodejs-qs
Purl: pkg:rpm/openEuler/nodejs-qs&distro=openEuler-22.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.1-2.oe2203sp3

Ecosystem specific

{
    "src": [
        "nodejs-qs-6.5.1-2.oe2203sp3.src.rpm"
    ],
    "noarch": [
        "nodejs-qs-6.5.1-2.oe2203sp3.noarch.rpm"
    ]
}