CVE-2024-51999
Prototype Pollution vulnerability in express (npm)
What is CVE-2024-51999 About?
This vulnerability is a Prototype Pollution issue in Express.js when using the extended query parser, where `request.query` inherits and allows overwriting of all object prototype properties. This can lead to unexpected behavior or arbitrary property modification. Exploitation is relatively easy, as it only requires crafting specific query string parameters.
Affected Software
- express
- >=5.0.0, <5.2.0
- <4.22.0
Technical Details
When Express.js is configured to use the extended query parser (which is the default in Express 4), the request.query object is not instantiated as a plain object. Instead, it inherits from Object.prototype. This makes it susceptible to Prototype Pollution. An attacker can craft query string parameters that match Object.prototype properties (e.g., ?__proto__.polluted=true). When these parameters are parsed, they can overwrite properties directly on Object.prototype, affecting all objects in the application. This can lead to various issues, including property injection, denial of service, or even remote code execution depending on what properties are overwritten and how they are used by the application.
What is the Impact of CVE-2024-51999?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript objects, potentially leading to unexpected application behavior, denial of service, or in some contexts, remote code execution.
What is the Exploitability of CVE-2024-51999?
Exploiting this vulnerability is straightforward and requires no authentication. An attacker simply needs to send an HTTP request with crafted query string parameters. The vulnerability is remote and immediately affects the application upon parsing the query string. The primary prerequisite is the use of Express.js with the extended query parser enabled. The risk is elevated in applications that process user-supplied data from query strings and do not explicitly sanitize or validate object properties, as it can lead to broad impact across the application's object model.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-51999?
Available Upgrade Options
- express
- <4.22.0 → Upgrade to 4.22.0
- express
- >=5.0.0, <5.2.0 → Upgrade to 5.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/expressjs/express/releases/tag/v5.2.0
- https://github.com/expressjs/express/releases/tag/v5.2.0
- https://nvd.nist.gov/vuln/detail/CVE-2024-51999
- https://osv.dev/vulnerability/GHSA-pj86-cfqh-vqx6
- https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6
- https://github.com/expressjs/express/releases/tag/4.22.0
- https://github.com/expressjs/express/commit/2f64f68c37c64ae333e41ff38032d21860f22255
- https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6
- https://github.com/expressjs/express
- https://github.com/expressjs/express/releases/tag/4.22.0
What are Similar Vulnerabilities to CVE-2024-51999?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2020-28285 , CVE-2021-23337 , CVE-2022-25916 , CVE-2020-7798
