Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qs vulnerable to Prototype Pollution #212

Closed
1 of 4 tasks
TheKingTermux opened this issue Dec 22, 2022 · 1 comment · Fixed by #203
Closed
1 of 4 tasks

qs vulnerable to Prototype Pollution #212

TheKingTermux opened this issue Dec 22, 2022 · 1 comment · Fixed by #203
Labels
Auto Create Issues Label for Auto Created Issues High This label for Security Severity only Security Label for Security Issues
Milestone
Alice 1.0.6

Comments

@TheKingTermux
Copy link
Owner

TheKingTermux commented Dec 22, 2022
edited

Description

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Severity Check

  • Low
  • Moderate
  • High
  • Critical

Severity Number

7.5

CVSS base metrics

  • Attack vector
    Network

  • Attack complexity
    Low

  • Privileges required
    None

  • User interaction
    None

  • Scope
    Unchanged

  • Confidentiality
    None

  • Integrity
    None

  • Availability
    High

  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  • Weaknesses
    CWE-1321

  • CVE ID
    CVE-2022-24999

  • GHSA ID
    GHSA-hrpp-h998-j3pp

Information

Package

  • express (npm)
    Affected versions Patched versions
    < 4.17.3 4.17.3

  • qs (npm)
    Affected versions Patched versions

= 6.10.0, < 6.10.3 6.10.3
= 6.9.0, < 6.9.7 6.9.7
= 6.8.0, < 6.8.3 6.8.3
= 6.7.0, < 6.7.3 6.7.3
= 6.6.0, < 6.6.1 6.6.1
= 6.5.0, < 6.5.3 6.5.3
= 6.4.0, < 6.4.1 6.4.1
= 6.3.0, < 6.3.3 6.3.3
< 6.2.4 6.2.4

References
@TheKingTermux TheKingTermux added Security Label for Security Issues Auto Create Issues Label for Auto Created Issues labels Dec 22, 2022
@TheKingTermux TheKingTermux mentioned this issue Dec 22, 2022
Merged
1 task
@TheKingTermux
Copy link
Owner Author

/lock

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 24, 2022
@TheKingTermux TheKingTermux added the High This label for Security Severity only label May 9, 2023
@TheKingTermux TheKingTermux added this to the Alice 1.0.6 milestone Jun 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Auto Create Issues Label for Auto Created Issues High This label for Security Severity only Security Label for Security Issues
Projects
None yet
Milestone
Alice 1.0.6
Development

Successfully merging a pull request may close this issue.

chore(deps): update dependency qs [security] TheKingTermux/alice
1 participant
@TheKingTermux