qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Vulnerabilities
Details
CVE-2022-24999
### Vulnerable Library - qs-6.2.0.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.0.tgz
Dependency Hierarchy: - express-4.14.0.tgz (Root Library) - :x: **qs-6.2.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.2.4
Direct dependency fix Resolution (express): 4.15.0
CVE-2017-1000048
### Vulnerable Library - qs-6.2.0.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.0.tgz
Dependency Hierarchy: - express-4.14.0.tgz (Root Library) - :x: **qs-6.2.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsthe web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000048
Release Date: 2017-07-17
Fix Resolution (qs): 6.2.3
Direct dependency fix Resolution (express): 4.15.0
CVE-2017-16138
### Vulnerable Library - mime-1.3.4.tgzA comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Dependency Hierarchy: - express-4.14.0.tgz (Root Library) - serve-static-1.11.2.tgz - send-0.14.2.tgz - :x: **mime-1.3.4.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (express): 4.16.0
CVE-2017-16119
### Vulnerable Library - fresh-0.3.0.tgzHTTP response freshness testing
Library home page: https://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz
Dependency Hierarchy: - express-4.14.0.tgz (Root Library) - :x: **fresh-0.3.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsFresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-06-07
URL: CVE-2017-16119
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/526
Release Date: 2018-06-07
Fix Resolution (fresh): 0.5.2
Direct dependency fix Resolution (express): 4.15.5