CVE-2022-24999 (High) detected in qs-6.5.2.tgz - autoclosed #125

mend-for-github-com · 2022-11-28T01:00:19Z

CVE-2022-24999 - High Severity Vulnerability

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /examples/graphql/package.json

Path to vulnerable library: /examples/graphql/package.json,/examples/rest/package.json

Dependency Hierarchy:

express-4.16.4.tgz (Root Library)
- ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 40c2bf435e91fe54575f47a7d13aef79ce92ae42

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (express): 4.17.0

⛑️ Automatic Remediation will be attempted for this issue.

mend-for-github-com · 2024-05-19T20:40:51Z

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #170

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Nov 28, 2022

mend-for-github-com bot changed the title ~~CVE-2022-24999 (Medium) detected in qs-6.5.2.tgz, qs-6.7.0.tgz~~ CVE-2022-24999 (High) detected in qs-6.5.2.tgz, qs-6.7.0.tgz Nov 29, 2022

mend-for-github-com bot mentioned this issue Jan 26, 2023

chore(deps): update dependency vuepress to v1.3.0 - autoclosed #135

Closed

1 task

mend-for-github-com bot mentioned this issue Oct 14, 2023

chore(deps): update dependency express to v4.17.2 - autoclosed #156

Closed

1 task

mend-for-github-com bot mentioned this issue Nov 29, 2023

chore(deps): update dependency express to v4.17.2 - autoclosed #158

Closed

1 task

mend-for-github-com bot changed the title ~~CVE-2022-24999 (High) detected in qs-6.5.2.tgz, qs-6.7.0.tgz~~ CVE-2022-24999 (High) detected in qs-6.5.2.tgz Mar 3, 2024

mend-for-github-com bot mentioned this issue Mar 3, 2024

chore(deps): update dependency express to v4.21.2 - autoclosed #165

Closed

1 task

mend-for-github-com bot changed the title ~~CVE-2022-24999 (High) detected in qs-6.5.2.tgz~~ CVE-2022-24999 (High) detected in qs-6.5.2.tgz - autoclosed May 19, 2024

mend-for-github-com bot closed this as completed May 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-24999 (High) detected in qs-6.5.2.tgz - autoclosed #125

CVE-2022-24999 (High) detected in qs-6.5.2.tgz - autoclosed #125

mend-for-github-com bot commented Nov 28, 2022 •

edited

Loading

mend-for-github-com bot commented May 19, 2024

CVE-2022-24999 (High) detected in qs-6.5.2.tgz - autoclosed #125

CVE-2022-24999 (High) detected in qs-6.5.2.tgz - autoclosed #125

Comments

mend-for-github-com bot commented Nov 28, 2022 • edited Loading

CVE-2022-24999 - High Severity Vulnerability

mend-for-github-com bot commented May 19, 2024

mend-for-github-com bot commented Nov 28, 2022 •

edited

Loading