AZL-45051

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-45051.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-45051

Upstream

CVE-2022-24999

Published

2022-11-26T22:15:10Z

Modified

2026-04-01T05:16:49.478589Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2022-24999 affecting package js-jquery 3.5.0-4

Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

References

https://nvd.nist.gov/vuln/detail/CVE-2022-24999

Affected packages

Azure Linux:3 / js-jquery

Package

Name: js-jquery
Purl: pkg:rpm/azure-linux/js-jquery

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.5.0-4

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-45051.json"