Upstream information

CVE-2022-24999 at MITRE


qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 7.5
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact High
CVSSv3 Version 3.1
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 8
  • nodejs >= 14.21.1-2.module+el8.7.0+17528+a329cd47
  • nodejs-devel >= 14.21.1-2.module+el8.7.0+17528+a329cd47
  • nodejs-docs >= 14.21.1-2.module+el8.7.0+17528+a329cd47
  • nodejs-full-i18n >= 14.21.1-2.module+el8.7.0+17528+a329cd47
  • nodejs-nodemon >= 2.0.20-2.module+el8.7.0+17528+a329cd47
  • nodejs-packaging >= 23-3.module+el8.3.0+6519+9f98ed83
  • npm >= 6.14.17-

SUSE Timeline for this CVE

CVE page created: Sun Nov 27 07:00:21 2022
CVE page last modified: Mon Oct 30 18:16:41 2023