{"id":"CVE-2022-24999","details":"qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).","aliases":["GHSA-hrpp-h998-j3pp"],"modified":"2026-04-16T04:37:40.659441733Z","published":"2022-11-26T22:15:10.153Z","related":["ALSA-2023:0050"],"references":[{"type":"ADVISORY","url":"https://github.com/expressjs/express/releases/tag/4.17.3"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230908-0005/"},{"type":"FIX","url":"https://github.com/ljharb/qs/pull/428"},{"type":"EVIDENCE","url":"https://github.com/n8tz/CVE-2022-24999"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/expressjs/express","events":[{"introduced":"0"},{"fixed":"3d7fce56a35f4f73fa437866cd1401587a212334"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.17.3"}]}},{"type":"GIT","repo":"https://github.com/ljharb/qs","events":[{"introduced":"0"},{"fixed":"90d9f2b45715b7b03da92113a7b8af236c01088d"},{"introduced":"8aa9c26f90335b5483a4f456dea9acbada8a881c"},{"fixed":"ff235b4ca81f82728b745b71fbd4bad173535305"},{"introduced":"d66ac175bbf8afa44b41c2c85b04ae00bac7c916"},{"fixed":"298bfa55d6db00ddea78dd0333509aadf9bb3077"},{"introduced":"125e103b61f2bef245970f5a2a8dceffe5aab59a"},{"fixed":"834389afb51ac8cc03a22a0c76604c65776dc468"},{"introduced":"7ebe4ad78f6abc9fcc15bdfd0e5a9a771b855cf5"},{"fixed":"0db55386013a5d92503944ad42022fd8c112c983"},{"introduced":"670254b63fc7770894eed9a0f020bc0b72698ce3"},{"fixed":"4cd003291fe3b347884f797e548b58a12150a0e3"},{"introduced":"7c1fcc53047ed2d7555910fbce9f72eed1e450b1"},{"fixed":"f92ddb56089ae2c74f5ca7b0447fef3a97e8c9bc"},{"introduced":"0"},{"last_affected":"c7f87b8d2eedd377f6ace065655201f51bee6334"},{"introduced":"0"},{"last_affected":"34af57edde61639054ea7b38fdfce050cffdab29"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.2.4"},{"introduced":"6.3.0"},{"fixed":"6.3.3"},{"introduced":"6.5.0"},{"fixed":"6.5.3"},{"introduced":"6.7.0"},{"fixed":"6.7.3"},{"introduced":"6.8.0"},{"fixed":"6.8.3"},{"introduced":"6.9.0"},{"fixed":"6.9.7"},{"introduced":"6.10.0"},{"fixed":"6.10.3"},{"introduced":"0"},{"last_affected":"6.4.0"},{"introduced":"0"},{"last_affected":"6.6.0"}]}}],"versions":["0.1.0","0.10.0","0.10.1","0.11.0","0.12.0","0.13.0","0.14.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","0.6.0","0.7.0","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.8.0","0.9.0","1.0.0","1.0.0beta","1.0.0beta2","1.0.0rc","1.0.0rc2","1.0.0rc3","1.0.0rc4","2.0.0","2.0.0beta2","2.0.0beta3","2.0.0rc","2.0.0rc2","2.0.0rc3","2.1.0","2.1.1","2.2.0","2.2.1","2.2.2","2.3.0","2.3.1","2.3.10","2.3.11","2.3.12","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9","2.4.0","2.4.1","2.4.2","2.4.3","3.0.0alpha1","3.0.0alpha2","3.0.0alpha3","3.0.0alpha4","3.0.0alpha5","3.0.0beta1","3.0.0beta2","3.0.0beta3","3.0.0beta4","3.0.0beta5","3.0.0beta6","3.0.0beta7","3.0.0rc1","3.0.0rc2","3.0.0rc3","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.1.0","3.1.1","3.1.2","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.8","3.4.0","3.4.2","3.4.3","3.4.4","3.4.5","3.4.6","3.4.7","4.0.0","4.0.0-rc1","4.0.0-rc2","4.0.0-rc3","4.0.0-rc4","4.1.0","4.1.1","4.10.0","4.10.1","4.10.2","4.10.3","4.10.4","4.10.5","4.10.6","4.10.7","4.10.8","4.11.0","4.11.1","4.11.2","4.12.0","4.12.1","4.12.2","4.12.3","4.12.4","4.13.0","4.13.1","4.13.2","4.13.3","4.13.4","4.14.0","4.14.1","4.15.0","4.15.1","4.15.2","4.15.3","4.15.4","4.15.5","4.16.0","4.16.1","4.16.2","4.16.3","4.16.4","4.17.0","4.17.1","4.17.2","4.2.0","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","4.4.2","4.4.3","4.4.4","4.5.0","4.5.1","4.6.0","4.6.1","4.7.0","4.7.1","4.7.2","4.7.3","4.7.4","4.8.0","4.8.1","4.8.2","4.8.3","4.8.4","4.8.5","4.8.6","4.8.7","4.8.8","4.9.0","4.9.1","4.9.2","4.9.3","4.9.4","4.9.5","4.9.6","4.9.7","4.9.8","v1.0.0","v1.0.1","v1.0.2","v1.1.0","v1.2.0","v1.2.1","v1.2.2","v2.0.0","v2.1.0","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.4.0","v2.4.1","v2.4.2","v3.0.0","v3.1.0","v4.0.0","v5.0.0","v5.1.0","v5.2.0","v6.0.0","v6.0.1","v6.0.2","v6.1.0","v6.10.0","v6.10.1","v6.10.2","v6.2.0","v6.2.1","v6.2.2","v6.2.3","v6.3.0","v6.3.1","v6.3.2","v6.4.0","v6.5.0","v6.5.1","v6.5.2","v6.6.0","v6.7.0","v6.7.1","v6.7.2","v6.8.0","v6.8.1","v6.8.2","v6.9.0","v6.9.1","v6.9.2","v6.9.3","v6.9.4","v6.9.5","v6.9.6"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}