Vulnerabilites related to qs_project - qs
Vulnerability from fkie_nvd
Published
2022-11-26 22:15
Modified
2025-04-29 14:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/expressjs/express/releases/tag/4.17.3 | Release Notes | |
| cve@mitre.org | https://github.com/ljharb/qs/pull/428 | Issue Tracking, Patch | |
| cve@mitre.org | https://github.com/n8tz/CVE-2022-24999 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20230908-0005/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/expressjs/express/releases/tag/4.17.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ljharb/qs/pull/428 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/n8tz/CVE-2022-24999 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230908-0005/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | 6.4.0 | |
| qs_project | qs | 6.6.0 | |
| openjsf | express | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F7960844-79EB-454C-BD4C-C79387E2E573",
"versionEndExcluding": "6.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "B836471B-BF39-4B52-B837-70B494D2C45F",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "6.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "DF319EA6-E68F-41A8-BB21-FE30F6BD1A9C",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E43C2419-E3F8-4123-8FA8-A0C1B4244D77",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "BB20DBEF-67E2-49FB-BB55-C86F7A83028F",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "6.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "49C25B47-56FD-43BF-9DA4-A6100DD291EE",
"versionEndExcluding": "6.9.7",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "750DDAB9-4454-4087-8DA1-D05280F59081",
"versionEndExcluding": "6.10.3",
"versionStartIncluding": "6.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.4.0:*:*:*:*:node.js:*:*",
"matchCriteriaId": "535F43BA-C0A4-441A-A13C-A221ED855613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.6.0:*:*:*:*:node.js:*:*",
"matchCriteriaId": "870A2680-00C2-43D2-9C4B-D8F52DB16AA1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "31382A93-AA97-4D14-ACF6-129F1BDDFD6D",
"versionEndExcluding": "4.17.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable)."
},
{
"lang": "es",
"value": "qs anterior a 6.10.3, como se usa en Express anterior a 4.17.3 y otros productos, permite a los atacantes provocar que un proceso de Nodo se cuelgue para una aplicaci\u00f3n Express porque se puede usar una clave __ proto__. En muchos casos de uso t\u00edpicos de Express, un atacante remoto no autenticado puede colocar el payload del ataque en la cadena de consulta de la URL que se utiliza para visitar la aplicaci\u00f3n, como a[__proto__]=b\u0026amp;a[__proto__]\u0026amp;a[length] =100000000. La soluci\u00f3n se respald\u00f3 a qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3 y 6.2.4 (y por lo tanto a Express 4.17.3, que tiene \"deps : qs@6.9.7\" en la descripci\u00f3n de su versi\u00f3n, no es vulnerable)."
}
],
"id": "CVE-2022-24999",
"lastModified": "2025-04-29T14:15:20.410",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-26T22:15:10.153",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/n8tz/CVE-2022-24999"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"
},
{
"source": "cve@mitre.org",
"url": "https://security.netapp.com/advisory/ntap-20230908-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/n8tz/CVE-2022-24999"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230908-0005/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 13:18
Modified
2025-04-20 01:37
Severity ?
Summary
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| qs_project | qs | 1.0.0 | |
| qs_project | qs | 1.0.1 | |
| qs_project | qs | 1.0.2 | |
| qs_project | qs | 1.1.0 | |
| qs_project | qs | 1.2.0 | |
| qs_project | qs | 1.2.1 | |
| qs_project | qs | 2.3.1 | |
| qs_project | qs | 2.3.2 | |
| qs_project | qs | 2.3.3 | |
| qs_project | qs | 2.4.0 | |
| qs_project | qs | 2.4.1 | |
| qs_project | qs | 2.4.2 | |
| qs_project | qs | 3.0.0 | |
| qs_project | qs | 3.1.0 | |
| qs_project | qs | 4.0.0 | |
| qs_project | qs | 5.0.0 | |
| qs_project | qs | 5.1.0 | |
| qs_project | qs | 5.2.0 | |
| qs_project | qs | 5.2.1 | |
| qs_project | qs | 6.0.0 | |
| qs_project | qs | 6.0.1 | |
| qs_project | qs | 6.0.2 | |
| qs_project | qs | 6.0.3 | |
| qs_project | qs | 6.1.0 | |
| qs_project | qs | 6.1.1 | |
| qs_project | qs | 6.2.0 | |
| qs_project | qs | 6.2.1 | |
| qs_project | qs | 6.2.2 | |
| qs_project | qs | 6.3.0 | |
| qs_project | qs | 6.3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qs_project:qs:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F59D4E83-E0E4-4FDA-BD67-8FEFB3F8FEC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F84B0A5-FD8E-4747-A020-FDA4D988BF35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "69152D81-88C4-4B56-8555-FA2CB81F9AF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2D653824-83C9-4C88-8303-D06C90F466AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DA2F55BE-E78A-41B2-B9CC-F24DE9103B5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "432764B3-0CB0-4DEA-B5F7-4F3329C5532E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6D89D437-D47D-4873-BCB4-EF8C78B1884C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9000EE50-8D9F-41E6-9578-0820BE32F71B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1F00E24A-8796-4079-8EC8-C5BEB3594155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "03E099ED-791E-4B91-A99D-FE44AF2D3440",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E2A2A3-8C15-4C76-8180-9E980572FBB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4BC748F7-4CC5-458B-8C45-EB9BF31761BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A42999B0-A8A4-4828-AD0E-6B0B0401242A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A7FE03A-DBC3-471C-936B-7F0E3F34508C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A934D909-0AF8-4A8D-BC87-60D1F5B0577E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C6D579FA-0476-45F1-87C6-EE2460A4C27C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2D159120-E1A8-4518-BD9B-79AA38696BF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E61C7B6F-6BB6-4BE0-8E4C-F0593663CD64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CD3B8E1D-42C1-4304-86A3-9A81A4FB1250",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8B1E93EC-C59F-40C1-B021-B85C3D64CE27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C2DEF8FD-89AA-460B-A6D3-91F9192444E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C3EC3EC4-84BF-4402-A061-FE70116C75FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "274DBBC9-B229-4F8C-A0AC-E335067701E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5A7DE2A2-3323-4F3D-9B0C-E03E875707EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55D4B584-D55E-4C49-8E70-7DB1824004E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "13E62FFB-D768-48F0-BEDF-30DB5EB63BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "19CD4139-7BA5-4203-B9C1-1B6B7C5C7B6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6A65518C-CF38-4789-A3C4-3BB8035C34FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "63CA554E-825F-461B-85AA-511B6D67D61E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A2AC05C0-73B5-4F5D-B184-E528EB2823F1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "the web framework using ljharb\u0027s qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash."
},
{
"lang": "es",
"value": "El framework web utilizando el m\u00f3dulo qs anterior a las versiones v6.3.2, v6.2.3, v6.1.2 y v6.0.4 de ljharb, es vulnerable a una DoS. Un usuario malicioso puede enviar una petici\u00f3n malintencionada para causar un bloqueo del framework web."
}
],
"id": "CVE-2017-1000048",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T13:18:17.453",
"references": [
{
"source": "cve@mitre.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2672"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ljharb/qs/issues/200"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2672"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ljharb/qs/issues/200"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-31 20:29
Modified
2024-11-21 02:03
Severity ?
Summary
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://nodesecurity.io/advisories/28 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nodesecurity.io/advisories/28 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| qs_project | qs | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "9380A9BB-F9DF-43D5-AA81-DBFA67DE2CC9",
"versionEndExcluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring."
},
{
"lang": "es",
"value": "El m\u00f3dulo qs en versiones anteriores a la 1.0.0 no tiene una opci\u00f3n o configuraci\u00f3n por defecto para especificar la profundidad del objeto y, al analizar una cadena que representa un objeto profundamente anidado, bloquear\u00e1 el bucle de eventos durante largos per\u00edodos de tiempo. Un atacante podr\u00eda aprovecharse de esto para provocar una condici\u00f3n de denegaci\u00f3n de servicio (DoS), por ejemplo, en una aplicaci\u00f3n web; otras peticiones no se procesar\u00edan mientras ocurre este bloqueo."
}
],
"id": "CVE-2014-10064",
"lastModified": "2024-11-21T02:03:26.387",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-31T20:29:00.220",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://nodesecurity.io/advisories/28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://nodesecurity.io/advisories/28"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2017-1000048 (GCVE-0-2017-1000048)
Vulnerability from cvelistv5
Published
2017-07-13 20:00
Modified
2024-08-05 21:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:53:06.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ljharb/qs/issues/200"
},
{
"name": "RHSA-2017:2672",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2672"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2017-05-06T00:00:00",
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "the web framework using ljharb\u0027s qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-30T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ljharb/qs/issues/200"
},
{
"name": "RHSA-2017:2672",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2672"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2017-05-06T20:43:28.296131",
"ID": "CVE-2017-1000048",
"REQUESTER": "myvyang@gmail.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "the web framework using ljharb\u0027s qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ljharb/qs/issues/200",
"refsource": "CONFIRM",
"url": "https://github.com/ljharb/qs/issues/200"
},
{
"name": "RHSA-2017:2672",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2672"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000048",
"datePublished": "2017-07-13T20:00:00",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-08-05T21:53:06.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-10064 (GCVE-0-2014-10064)
Vulnerability from cvelistv5
Published
2018-05-31 20:00
Modified
2024-09-17 00:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Denial of Service ()
Summary
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | qs node module |
Version: <1.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:02:38.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "qs node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c1.0.0"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-31T19:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/28"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2014-10064",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "qs node module",
"version": {
"version_data": [
{
"version_value": "\u003c1.0.0"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/28",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/28"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2014-10064",
"datePublished": "2018-05-31T20:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-17T00:36:04.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24999 (GCVE-0-2022-24999)
Vulnerability from cvelistv5
Published
2022-11-26 00:00
Modified
2025-04-29 13:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/n8tz/CVE-2022-24999"
},
{
"name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3299-1] node-qs security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230908-0005/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-24999",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T13:56:22.823843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T13:56:42.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:42.462Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"url": "https://github.com/n8tz/CVE-2022-24999"
},
{
"name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3299-1] node-qs security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230908-0005/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24999",
"datePublished": "2022-11-26T00:00:00.000Z",
"dateReserved": "2022-02-14T00:00:00.000Z",
"dateUpdated": "2025-04-29T13:56:42.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}