CVE-2022-24999
Denial of Service vulnerability in qs (npm)
What is CVE-2022-24999 About?
The `qs` library before 6.10.3 is vulnerable to denial of service (DoS) due to the improper handling of the `__proto__` key. Attackers can leverage this by including a specifically crafted `__proto__` key in the query string, which can cause a Node.js process to hang. This is relatively easy to exploit with a crafted URL parameter.
Affected Software
- qs
- >6.3.0, <6.3.3
- >6.8.0, <6.8.3
- <6.2.4
- >6.5.0, <6.5.3
- >6.7.0, <6.7.3
- >6.9.0, <6.9.7
- >6.4.0, <6.4.1
- >6.6.0, <6.6.1
- >6.10.0, <6.10.3
Technical Details
The vulnerability in the qs library (versions before 6.10.3) is a Denial of Service (DoS) triggered by the __proto__ key. When qs parses query strings, it handles special object properties like __proto__. An attacker can craft a query string, such as a[__proto__]=b&a[__proto__]&a[length]=100000000, that, when processed by qs, will manipulate the __proto__ property. This manipulation can lead to an unexpected increase in object size or trigger expensive computations due to object prototype chain modifications, causing the Node.js process to hang indefinitely or consume excessive resources, thereby leading to a denial of service.
What is the Impact of CVE-2022-24999?
Successful exploitation may allow attackers to cause a Node.js process to hang, leading to denial of service for the affected application or service.
What is the Exploitability of CVE-2022-24999?
Exploitation of this vulnerability is relatively easy, requiring an unauthenticated remote attacker to place a crafted payload in the query string of a URL that is processed by an application using the vulnerable qs library. No authentication or specific privileges are required. The attack is entirely remote and relies on sending a benign-looking but malicious URL. Special conditions typically involve a web application that parses query string parameters using the qs library. Risk factors are significantly increased for web applications developed using Node.js that directly or indirectly use the qs library for parsing URL query parameters without the necessary patches, as this can be exploited by any client sending a request.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| n8tz | Link | "qs" prototype poisoning vulnerability ( CVE-2022-24999 ) |
What are the Available Fixes for CVE-2022-24999?
About the Fix from Resolved Security
This patch prevents assignment to the proto property during object parsing by adding a check that skips assignments to keys named 'proto'. This mitigates prototype pollution attacks and fixes CVE-2022-24999 by ensuring malicious input cannot tamper with an object's prototype chain through crafted query strings.
Available Upgrade Options
- qs
- <6.2.4 → Upgrade to 6.2.4
- qs
- >6.3.0, <6.3.3 → Upgrade to 6.3.3
- qs
- >6.4.0, <6.4.1 → Upgrade to 6.4.1
- qs
- >6.5.0, <6.5.3 → Upgrade to 6.5.3
- qs
- >6.6.0, <6.6.1 → Upgrade to 6.6.1
- qs
- >6.7.0, <6.7.3 → Upgrade to 6.7.3
- qs
- >6.8.0, <6.8.3 → Upgrade to 6.8.3
- qs
- >6.9.0, <6.9.7 → Upgrade to 6.9.7
- qs
- >6.10.0, <6.10.3 → Upgrade to 6.10.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec
- https://github.com/ljharb/qs/pull/428
- https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68
- https://github.com/n8tz/CVE-2022-24999
- https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b
- https://github.com/ljharb/qs
- https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee
- https://osv.dev/vulnerability/GHSA-hrpp-h998-j3pp
- https://nvd.nist.gov/vuln/detail/CVE-2022-24999
- https://github.com/n8tz/CVE-2022-24999
What are Similar Vulnerabilities to CVE-2022-24999?
Similar Vulnerabilities: CVE-2020-8200 , CVE-2021-23359 , CVE-2017-16060 , CVE-2018-3721 , CVE-2021-23424
