CVE-2017-1000048
Prototype Pollution vulnerability in qs
What is CVE-2017-1000048 About?
This vulnerability is a Prototype Pollution flaw in the `qs` library, allowing attackers to bypass existing protections. Successful exploitation can alter the `Object` prototype, potentially leading to Denial of Service or Remote Code Execution under specific conditions. Exploitation is moderately easy due to the nature of input parsing.
Affected Software
- qs
- >6.3.0, <6.3.2
- >6.1.0, <6.1.2
- <6.0.4
- >6.2.0, <6.2.3
Technical Details
The `qs.parse` function in affected versions of the `qs` package contains a Prototype Pollution vulnerability. The parsing mechanism fails to adequately sanitize or validate input, specifically when `[` or `]` characters are present in the input string. This allows an attacker to inject specially crafted input that can modify the `Object.prototype`. By altering properties on the global `Object.prototype`, an attacker can introduce or change properties that will then be inherited by all other objects in the application, leading to widespread impact such as denial of service, data manipulation, or potentially remote code execution if the application uses vulnerable properties in a critical context.
What is the Impact of CVE-2017-1000048?
Successful exploitation may allow attackers to cause a denial of service, manipulate application data, or potentially achieve remote code execution in specific application contexts.
What is the Exploitability of CVE-2017-1000048?
Exploitation of this Prototype Pollution vulnerability typically involves crafting malicious input that is processed by the `qs.parse` function. The complexity is moderate, requiring an understanding of JavaScript prototype inheritance and how the `qs` library processes input. No authentication is required if the input can be controlled by an unauthenticated user, for example, through URL query parameters or request body parsing. Privilege requirements are low, as the vulnerability resides in how user-supplied data is handled. This is typically a remote vulnerability, as the attacker needs to provide input to the vulnerable function. Special conditions include the application using vulnerable versions of `qs` and processing attacker-controlled input with `qs.parse`. The likelihood of exploitation increases if the application uses the `qs` library extensively for parsing dynamic input and relies on object properties without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-1000048?
About the Fix from Resolved Security
The patch updates property handling in the query string parser to prevent properties like hasOwnProperty or toString from being set on parsed objects unless the allowPrototypes option is true, effectively blocking prototype pollution unless explicitly allowed. This fixes CVE-2017-1000048 by ensuring user input cannot overwrite Object prototype properties by default, thus safeguarding against attacks that exploit JavaScript prototype pollution to alter application behavior or compromise security.
Available Upgrade Options
- qs
- <6.0.4 → Upgrade to 6.0.4
- qs
- >6.1.0, <6.1.2 → Upgrade to 6.1.2
- qs
- >6.2.0, <6.2.3 → Upgrade to 6.2.3
- qs
- >6.3.0, <6.3.2 → Upgrade to 6.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000048
- https://github.com/ljharb/qs/issues/200
- https://github.com/ljharb/qs/issues/200
- https://access.redhat.com/errata/RHSA-2017:2672
- https://osv.dev/vulnerability/GHSA-gqgv-6jq5-jjj9
- https://access.redhat.com/errata/RHSA-2017:2672
- https://www.npmjs.com/advisories/1469
- https://github.com/ljharb/qs
- https://snyk.io/vuln/npm:qs:20170213
What are Similar Vulnerabilities to CVE-2017-1000048?
Similar Vulnerabilities: CVE-2020-8208 , CVE-2020-28269 , CVE-2020-7712 , CVE-2020-7713 , CVE-2020-7760
