vulnerability

Red Hat: CVE-2022-24999: "qs" prototype poisoning causes the hang of the node process (Multiple Advisories)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Nov 26, 2022	Jan 12, 2023	Mar 27, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Nov 26, 2022

Added

Jan 12, 2023

Modified

Mar 27, 2026

Description

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Solutions

redhat-upgrade-nodejsredhat-upgrade-nodejs-debuginforedhat-upgrade-nodejs-debugsourceredhat-upgrade-nodejs-develredhat-upgrade-nodejs-docsredhat-upgrade-nodejs-full-i18nredhat-upgrade-nodejs-nodemonredhat-upgrade-nodejs-packagingredhat-upgrade-npm

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report