GHSA-hrpp-h998-j3pp

Suggest an improvement
Source
https://github.com/advisories/GHSA-hrpp-h998-j3pp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hrpp-h998-j3pp
Aliases
Published
2022-11-27T00:30:50Z
Modified
2024-02-13T20:35:49Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
qs vulnerable to Prototype Pollution
Details

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

Database specific
{
    "nvd_published_at": "2022-11-26T22:15:00Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T14:32:46Z"
}
References

Affected packages

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.10.0
Fixed
6.10.3

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.9.0
Fixed
6.9.7

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.8.0
Fixed
6.8.3

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.7.0
Fixed
6.7.3

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.6.0
Fixed
6.6.1

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.5.0
Fixed
6.5.3

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.4.0
Fixed
6.4.1

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.3.0
Fixed
6.3.3

npm / qs

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.2.4