express: "qs" prototype poisoning causes the hang of the node process

A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker can cause a...

Debian dla-3299 : node-qs - security update

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3299 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3299-1 [email protected] https://www.debian.org/lts/security/...

AlmaLinux 8 : nodejs:14 (ALSA-2023:0050)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:0050 advisory. minimist: prototype pollution CVE-2021-44906 node-fetch: exposure of sensitive information to an unauthorized actor CVE-2022-0235 nodejs-minimatch: ReDoS...

Oracle Linux 8 : nodejs:14 (ELSA-2023-0050)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-0050 advisory. - Apply upstream fix for CVE-2022-24999 Resolves: CVE-2022-24999 - Record CVEs fixed by current or previous upstream releases Resolves: CVE-2021-44906...

GHSA-HRPP-H998-J3PP qs vulnerable to Prototype Pollution

qs before 6.10.3 allows attackers to cause a Node process hang because an proto key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as...

qs vulnerable to Prototype Pollution

qs before 6.10.3 allows attackers to cause a Node process hang because an proto key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as...

CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

DEBIAN-CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

Design/Logic Flaw

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

CVE-2022-24999

CVE-2022-24999 affects the qs library prior to 6.10.3 used by Express before 4.17.3, enabling prototype poisoning via a[proto ] in query strings that can hang a Node process. An unauthenticated remote attacker can place the payload in the URL query. The advisory notes backported fixes to qs versi...

CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

Denial of Service in http-live-simulator

Versions of http-live-simulator prior to 1.0.8 are vulnerable to Denial of Service. The package fails to catch an exception that causes the Node process to crash, effectively shutting down the server. This allows an attacker to send an HTTP request that crashes the server. Recommendation Upgrade ...

Denial Of Service (DoS)

node-sass is vulnerable to denial of service DoS. The attack is possible because the renderSync function triggers C++ assertions in CustomImporterBridge::getimporterentry and CustomImporterBridge::postprocessreturnvalue, crashing the Node process...

Denial of Service

Overview Versions of http-live-simulator prior to 1.0.8 are vulnerable to Denial of Service. The package fails to catch an exception that causes the Node process to crash, effectively shutting down the server. This allows an attacker to send an HTTP request that crashes the server. Recommendation...

Denial of Service

Overview Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service DoS. The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input tha...

Denial of Service

Overview Affected versions of node-sass are vulnerable to Denial of Service DoS. Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::getimporterentry and CustomImporterBridge::postprocessreturnvalue that crash the Node process. This may allow...

GHSA-VPQ5-4RC8-C222 Denial of Service in canvas

Versions of canvas prior to 1.6.10 are vulnerable to Denial of Service. Processing malicious JPEGs or GIFs could crash the node process. Recommendation Upgrade to version 1.6.10...