CVE-2022-24999

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions qs versions prior to 6.10.3 Express versions prior to 4.17.3

Description The issue allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[ proto ]=b&a[ proto ]&a[length]=100000000.

Recommendations For qs versions prior to 6.10.3, update to qs 6.10.3 or later. For Express versions prior to 4.17.3, update to Express 4.17.3 or later, which includes the fixed qs version. As a temporary workaround, consider restricting access to the query string parameter a[ proto ] and a[length] to minimize the risk of exploitation.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

ALSA-2023:0050

ALSA-2023_0050

ALSA-2023_1743

ALSA-2025_16880

AZL-44307

AZL-45051

CESA-2023_0050

CVE-2022-24999

DLA-3299-1

ELSA-2023-0050

GHSA-HRPP-H998-J3PP

MGASA-2023-0053

OESA-2024-1338

OESA-2024-1400

OESA-2024-1401

OESA-2024-1402

OESA-2024-1403

OESA-2024-1404

RHSA-2023:0050

RHSA-2023:0612

RHSA-2023:1533

RHSA-2023:1742

RHSA-2023_0050

RLSA-2023:0050

RLSA-2023_0050

USN-7693-1

Affected Products

Almalinux

Astra Linux

Centos

Express

Linuxmint

Red Hat

Rocky Linux

Ubuntu

CVE-2022-24999

Weakness Enumeration

Related Identifiers

Affected Products

References · 73