{"id":"CVE-2022-24999","details":"qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).","aliases":["GHSA-hrpp-h998-j3pp"],"modified":"2026-03-11T07:46:32.071364Z","published":"2022-11-26T22:15:10.153Z","related":["ALSA-2023:0050","MGASA-2023-0053"],"references":[{"type":"WEB"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230908-0005/"},{"type":"ADVISORY","url":"https://github.com/expressjs/express/releases/tag/4.17.3"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"},{"type":"FIX","url":"https://github.com/ljharb/qs/pull/428"},{"type":"EVIDENCE","url":"https://github.com/n8tz/CVE-2022-24999"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/expressjs/express","events":[{"introduced":"0"},{"fixed":"3d7fce56a35f4f73fa437866cd1401587a212334"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.17.3"}]}},{"type":"GIT","repo":"https://github.com/ljharb/qs","events":[{"introduced":"0"},{"fixed":"90d9f2b45715b7b03da92113a7b8af236c01088d"},{"introduced":"8aa9c26f90335b5483a4f456dea9acbada8a881c"},{"fixed":"ff235b4ca81f82728b745b71fbd4bad173535305"},{"introduced":"d66ac175bbf8afa44b41c2c85b04ae00bac7c916"},{"fixed":"298bfa55d6db00ddea78dd0333509aadf9bb3077"},{"introduced":"125e103b61f2bef245970f5a2a8dceffe5aab59a"},{"fixed":"834389afb51ac8cc03a22a0c76604c65776dc468"},{"introduced":"7ebe4ad78f6abc9fcc15bdfd0e5a9a771b855cf5"},{"fixed":"0db55386013a5d92503944ad42022fd8c112c983"},{"introduced":"670254b63fc7770894eed9a0f020bc0b72698ce3"},{"fixed":"4cd003291fe3b347884f797e548b58a12150a0e3"},{"introduced":"7c1fcc53047ed2d7555910fbce9f72eed1e450b1"},{"fixed":"f92ddb56089ae2c74f5ca7b0447fef3a97e8c9bc"},{"introduced":"0"},{"last_affected":"c7f87b8d2eedd377f6ace065655201f51bee6334"},{"introduced":"0"},{"last_affected":"34af57edde61639054ea7b38fdfce050cffdab29"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.2.4"},{"introduced":"6.3.0"},{"fixed":"6.3.3"},{"introduced":"6.5.0"},{"fixed":"6.5.3"},{"introduced":"6.7.0"},{"fixed":"6.7.3"},{"introduced":"6.8.0"},{"fixed":"6.8.3"},{"introduced":"6.9.0"},{"fixed":"6.9.7"},{"introduced":"6.10.0"},{"fixed":"6.10.3"},{"introduced":"0"},{"last_affected":"6.4.0"},{"introduced":"0"},{"last_affected":"6.6.0"}]}}],"versions":["0.0.1","0.0.2","0.1.0","0.10.0","0.10.1","0.11.0","0.12.0","0.13.0","0.14.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","0.6.0","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.8.0","0.9.0","1.0.0","1.0.0beta","1.0.0beta2","1.0.0rc","1.0.0rc2","1.0.0rc3","1.0.0rc4","2.0.0","2.0.0beta2","2.0.0beta3","2.0.0rc","2.0.0rc2","2.0.0rc3","2.1.0","2.1.1","2.2.0","2.2.1","2.2.2","2.3.0","2.3.1","2.3.10","2.3.11","2.3.12","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9","2.4.0","2.4.1","2.4.2","2.4.3","3.0.0alpha1","3.0.0alpha2","3.0.0alpha3","3.0.0alpha4","3.0.0alpha5","3.0.0beta1","3.0.0beta2","3.0.0beta3","3.0.0beta4","3.0.0beta5","3.0.0beta6","3.0.0beta7","3.0.0rc1","3.0.0rc2","3.0.0rc3","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.1.0","3.1.1","3.1.2","3.10.0","3.10.1","3.10.2","3.10.3","3.10.4","3.10.5","3.11.0","3.12.0","3.12.1","3.13.0","3.14.0","3.15.0","3.15.1","3.15.2","3.15.3","3.16.0","3.16.1","3.16.10","3.16.2","3.16.3","3.16.4","3.16.5","3.16.6","3.16.7","3.16.8","3.16.9","3.17.0","3.17.1","3.17.2","3.17.3","3.17.4","3.17.5","3.17.6","3.17.7","3.17.8","3.18.0","3.18.1","3.18.2","3.18.3","3.18.4","3.18.5","3.18.6","3.19.0","3.19.1","3.19.2","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.20.0","3.20.1","3.20.2","3.20.3","3.21.0","3.21.1","3.21.2","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.8","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.4.5","3.4.6","3.4.7","3.4.8","3.5.0","3.5.1","3.5.2","3.5.3","3.6.0","3.7.0","3.8.0","3.8.1","3.9.0","4.0.0","4.0.0-rc1","4.0.0-rc2","4.0.0-rc3","4.0.0-rc4","4.1.0","4.1.1","4.1.2","4.10.0","4.10.1","4.10.2","4.10.3","4.10.4","4.10.5","4.10.6","4.10.7","4.10.8","4.11.0","4.11.1","4.11.2","4.12.0","4.12.1","4.12.2","4.12.3","4.12.4","4.13.0","4.13.1","4.13.2","4.13.3","4.13.4","4.14.0","4.14.1","4.15.0","4.15.1","4.15.2","4.15.3","4.15.4","4.15.5","4.16.0","4.16.1","4.16.2","4.16.3","4.16.4","4.17.0","4.17.1","4.17.2","4.2.0","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","4.4.2","4.4.3","4.4.4","4.4.5","4.5.0","4.5.1","4.6.0","4.6.1","4.7.0","4.7.1","4.7.2","4.7.3","4.7.4","4.8.0","4.8.1","4.8.2","4.8.3","4.8.4","4.8.5","4.8.6","4.8.7","4.8.8","4.9.0","4.9.1","4.9.2","4.9.3","4.9.4","4.9.5","4.9.6","4.9.7","4.9.8","v6.0.3","v6.1.1","v6.2.2","v6.2.3","v6.3.0","v6.3.1","v6.4.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}