{"id":"CVE-2024-51999","details":"Express.js minimalist web framework for node. Prior to 5.2.0 and 4.22.0, when using the extended query parser in express ('query parser': 'extended'), the request.query object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names. This vulnerability is fixed in 5.2.0 and 4.22.0.","aliases":["GHSA-pj86-cfqh-vqx6"],"modified":"2026-04-10T05:14:59.483059Z","published":"2025-12-01T21:15:49.100Z","related":["CGA-jw7g-pwr3-m668"],"references":[{"type":"WEB","url":"https://github.com/expressjs/express/releases/tag/4.22.0"},{"type":"WEB","url":"https://github.com/expressjs/express/releases/tag/v5.2.0"},{"type":"ADVISORY","url":"https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6"},{"type":"FIX","url":"https://github.com/expressjs/express/commit/2f64f68c37c64ae333e41ff38032d21860f22255"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/expressjs/express","events":[{"introduced":"0"},{"fixed":"2f64f68c37c64ae333e41ff38032d21860f22255"},{"fixed":"4007ad103ba29f6426b2ec9eccfb1ceb792682a8"},{"fixed":"49744abd1120484fe64d7bde1cd3197c32523b6e"}]}],"versions":["0.1.0","0.10.0","0.10.1","0.11.0","0.12.0","0.13.0","0.14.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","0.6.0","0.7.0","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.8.0","0.9.0","1.0.0","1.0.0beta","1.0.0beta2","1.0.0rc","1.0.0rc2","1.0.0rc3","1.0.0rc4","2.0.0","2.0.0beta2","2.0.0beta3","2.0.0rc","2.0.0rc2","2.0.0rc3","2.1.0","2.1.1","2.2.0","2.2.1","2.2.2","2.3.0","2.3.1","2.3.10","2.3.11","2.3.12","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9","2.4.0","2.4.1","2.4.2","2.4.3","3.0.0alpha1","3.0.0alpha2","3.0.0alpha3","3.0.0alpha4","3.0.0alpha5","3.0.0beta1","3.0.0beta2","3.0.0beta3","3.0.0beta4","3.0.0beta5","3.0.0beta6","3.0.0beta7","3.0.0rc1","3.0.0rc2","3.0.0rc3","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.1.0","3.1.1","3.1.2","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.8","3.4.0","3.4.2","3.4.3","3.4.4","3.4.5","3.4.6","3.4.7","4.0.0","4.0.0-rc1","4.0.0-rc2","4.0.0-rc3","4.0.0-rc4","4.1.0","4.1.1","4.10.0","4.10.1","4.10.2","4.10.3","4.10.4","4.10.5","4.10.6","4.10.7","4.10.8","4.11.0","4.11.1","4.11.2","4.12.0","4.12.1","4.12.2","4.12.3","4.12.4","4.13.0","4.13.1","4.13.2","4.13.3","4.13.4","4.14.0","4.14.1","4.15.0","4.15.1","4.15.2","4.15.3","4.15.4","4.15.5","4.16.0","4.16.1","4.16.2","4.16.3","4.16.4","4.17.0","4.17.1","4.17.2","4.17.3","4.18.0","4.18.1","4.18.2","4.18.3","4.19.0","4.19.1","4.2.0","4.20.0","4.21.0","4.21.1","4.21.2","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","4.4.2","4.4.3","4.4.4","4.5.0","4.5.1","4.6.0","4.6.1","4.7.0","4.7.1","4.7.2","4.7.3","4.7.4","4.8.0","4.8.1","4.8.2","4.8.3","4.8.4","4.8.5","4.8.6","4.8.7","4.8.8","4.9.0","4.9.1","4.9.2","4.9.3","4.9.4","4.9.5","4.9.6","4.9.7","4.9.8","5.0.0-alpha.1","5.0.0-alpha.2","5.0.0-alpha.3","5.0.0-alpha.4","5.0.0-alpha.5","5.0.0-alpha.6","5.0.0-alpha.7","5.0.0-alpha.8","5.0.0-beta.2","v5.0.0","v5.0.0-beta.1","v5.0.0-beta.3","v5.0.1","v5.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}