CVE-2022-24999 @ Npm-qs-6.2.1

[RobertMickleCx]

Vulnerable Package issue exists @ Npm-qs-6.2.1 in branch master

The qs package as used in Express through 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an " proto key" can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as "a[proto]=b&a[proto]&a[length]=100000000". This vulnerability affects qs versions through 6.2.3, 6.3.0 through 6.3.2, 6.4.0, 6.5.0 through 6.5.2, 6.6.0, 6.7.0 through 6.7.2, 6.8.0 through 6.8.2, 6.9.0 through 6.9.6 and 6.10.0 through 6.10.2 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Namespace: RobertMickleCx Repository: NodeGoat Repository Url: https://github.com/RobertMickleCx/NodeGoat CxAST-Project: RobertMickleCx/NodeGoat CxAST platform scan: 3f4864fd-127b-412c-8cca-4b4873ce2f29 Branch: master Application: NodeGoat Severity: HIGH State: NOT_IGNORED Status: RECURRENT CWE: CWE-1321

---

Additional Info Attack vector: NETWORK Attack complexity: LOW Confidentiality impact: NONE Availability impact: HIGH Remediation Upgrade Recommendation: 6.2.4

---

References Advisory Disclosure Release Note Pull request Commit