qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__
key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000
. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
github.com/advisories/GHSA-hrpp-h998-j3pp
github.com/expressjs/express/releases/tag/4.17.3
github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec
github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68
github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b
github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d
github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1
github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105
github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f
github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee
github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda
github.com/ljharb/qs/pull/428
github.com/n8tz/CVE-2022-24999
lists.debian.org/debian-lts-announce/2023/01/msg00039.html
nvd.nist.gov/vuln/detail/CVE-2022-24999