#VU69675 Prototype pollution in qs - CVE-2022-24999

Cybersecurity Help s.r.o.

Published: 2022-11-29 | Updated: 2022-12-04

Vulnerability identifier: #VU69675

Vulnerability risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2022-24999

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
qs
Web applications / JS libraries

Vendor: npm Inc.

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

qs: 6.0.0 - 6.10.4

External links
https://github.com/n8tz/CVE-2022-24999
https://github.com/expressjs/express/releases/tag/4.17.3
https://github.com/ljharb/qs/pull/428

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Process Mining

Multiple vulnerabilities in IBM QRadar Data Synchronization App

Multiple vulnerabilities in IBM Business Automation Insights

Multiple vulnerabilities in QRadar Suite Software

Prototype pollution in IBM Cloud Pak for Data

openEuler 22.03 LTS SP2 update for nodejs-qs

openEuler 22.03 LTS SP1 update for nodejs-qs

openEuler 22.03 LTS update for nodejs-qs

openEuler 20.03 LTS SP4 update for nodejs-qs

openEuler 20.03 LTS SP1 update for nodejs-qs