PT-2017-10758 · Npm · Qs

Myvyang

Published

2017-07-13

Updated

2020-04-30

CVE-2017-1000048

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions qs versions prior to 6.0.4 qs versions prior to 6.1.2 qs versions prior to 6.2.3 qs versions prior to 6.3.2

Description The issue allows a malicious user to send a request that can cause the web framework to crash, resulting in a Denial of Service. This is due to the qs.parse function failing to properly prevent an object's prototype from being altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype, allowing attackers to override properties that will exist in all objects. This may lead to Remote Code Execution in specific circumstances.

Recommendations Upgrade to version 6.0.4 or later. Upgrade to version 6.1.2 or later. Upgrade to version 6.2.3 or later. Upgrade to version 6.3.2 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

AZL-45075

CVE-2017-1000048

GHSA-GQGV-6JQ5-JJJ9

RHSA-2017:2672

PT-2017-10758 · Npm · Qs

CVE-2017-1000048

Weakness Enumeration

Related Identifiers

Affected Products

References · 10