{"api_version":"1","generated_at":"2026-04-23T00:41:39+00:00","cve":"CVE-2022-24999","urls":{"html":"https://cve.report/CVE-2022-24999","api":"https://cve.report/api/cve/CVE-2022-24999.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24999","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24999"},"summary":{"title":"CVE-2022-24999","description":"qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-11-26 22:15:00","updated_at":"2023-09-08 17:15:00"},"problem_types":["CWE-1321"],"metrics":[],"references":[{"url":"https://github.com/expressjs/express/releases/tag/4.17.3","name":"https://github.com/expressjs/express/releases/tag/4.17.3","refsource":"CONFIRM","tags":[],"title":"Release 4.17.3 · expressjs/express · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/ljharb/qs/pull/428","name":"https://github.com/ljharb/qs/pull/428","refsource":"CONFIRM","tags":[],"title":"[Fix] `parse`: ignore `__proto__` keys by ljharb · Pull Request #428 · ljharb/qs · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230908-0005/","name":"https://security.netapp.com/advisory/ntap-20230908-0005/","refsource":"CONFIRM","tags":[],"title":"CVE-2022-24999 Node.js Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html","name":"[debian-lts-announce] 20230130 [SECURITY] [DLA 3299-1] node-qs security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3299-1] node-qs security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/n8tz/CVE-2022-24999","name":"https://github.com/n8tz/CVE-2022-24999","refsource":"MISC","tags":[],"title":"GitHub - n8tz/CVE-2022-24999: \"qs\" prototype poisoning vulnerability ( CVE-2022-24999 )","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24999","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24999","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24999","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24999","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openjsf","cpe5":"express","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24999","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"qs_project","cpe5":"qs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24999","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"qs_project","cpe5":"qs","cpe6":"6.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24999","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"qs_project","cpe5":"qs","cpe6":"6.6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-24999","qid":"160373","title":"Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2023-0050)"},{"cve":"CVE-2022-24999","qid":"181376","title":"Debian Security Update for node-qs (CVE-2022-24999)"},{"cve":"CVE-2022-24999","qid":"181527","title":"Debian Security Update for node-qs (DLA 3299-1)"},{"cve":"CVE-2022-24999","qid":"241041","title":"Red Hat Update for nodejs:14 security (RHSA-2023:0050)"},{"cve":"CVE-2022-24999","qid":"241160","title":"Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2023:0612)"},{"cve":"CVE-2022-24999","qid":"241304","title":"Red Hat Update for nodejs:14 security (RHSA-2023:1533)"},{"cve":"CVE-2022-24999","qid":"241341","title":"Red Hat Update for nodejs:14 security (RHSA-2023:1742)"},{"cve":"CVE-2022-24999","qid":"378045","title":"Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2023:0026)"},{"cve":"CVE-2022-24999","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2022-24999","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2022-24999","qid":"940865","title":"AlmaLinux Security Update for nodejs:14 (ALSA-2023:0050)"},{"cve":"CVE-2022-24999","qid":"960645","title":"Rocky Linux Security Update for nodejs:14 (RLSA-2023:0050)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-24999","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://github.com/expressjs/express/releases/tag/4.17.3","url":"https://github.com/expressjs/express/releases/tag/4.17.3"},{"refsource":"CONFIRM","name":"https://github.com/ljharb/qs/pull/428","url":"https://github.com/ljharb/qs/pull/428"},{"refsource":"MISC","name":"https://github.com/n8tz/CVE-2022-24999","url":"https://github.com/n8tz/CVE-2022-24999"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230130 [SECURITY] [DLA 3299-1] node-qs security update","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230908-0005/","url":"https://security.netapp.com/advisory/ntap-20230908-0005/"}]}},"nvd":{"publishedDate":"2022-11-26 22:15:00","lastModifiedDate":"2023-09-08 17:15:00","problem_types":["CWE-1321"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.3.0","versionEndExcluding":"6.3.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:6.4.0:*:*:*:*:node.js:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.5.0","versionEndExcluding":"6.5.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:6.6.0:*:*:*:*:node.js:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.7.0","versionEndExcluding":"6.7.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.8.0","versionEndExcluding":"6.8.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.9.0","versionEndExcluding":"6.9.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.10.0","versionEndExcluding":"6.10.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*","versionEndExcluding":"6.2.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*","versionEndExcluding":"4.17.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24999","Ordinal":"228444","Title":"CVE-2022-24999","CVE":"CVE-2022-24999","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24999","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}